Recent research from cybersecurity firm VulnCheck has unveiled that cybercriminals are increasingly targeting outdated models of ASUS routers by exploiting a software vulnerability identified back in 2018, classified as CVE-2018-5999. This security flaw represents a critical unauthenticated configuration update vulnerability, boasting a CVSS score of 9.8 out of 10, enabling attackers to modify router settings without requiring a password.
The vulnerabilities were flagged by VulnCheck’s advanced system, the VulnCheck Canary Network. Investigations linked these exploits to the RondoDox botnet, a network comprising compromised devices executing malicious payloads. The RondoDox operators commenced exploiting this vulnerability on May 17, prompting VulnCheck to include it in their Known Exploited Vulnerabilities catalog.
According to findings shared with Hackread.com, the RondoDox attack pattern involves sending specific data payloads to alter a router setting known as ateCommand_flag, which allows the router’s internal interface, referred to as infosvr, to accept unauthorized configuration changes from external sources.
VulnCheck’s Initial Access team successfully tested this technique, gaining the ability to change the administrative password of a router. Alarmingly, despite the existence of publicly available exploit code since 2018, this vulnerability had remained untouched until now.
Jacob Baines, VulnCheck’s Chief Technology Officer, elaborated on the situation in a LinkedIn post, remarking, “RondoDox is recognized for utilizing a multitude of exploits, with analysis tracing its CVE associations into the 170s. Therefore, it is neither surprising nor novel that they are also leveraging older vulnerabilities.”
The scale of this issue is significant, given the widespread presence of ASUS routers. Manufactured in Taiwan and China, these routers are commonly found in residential settings. Baines noted, “With over one million ASUS routers online, it is highly plausible that RondoDox is successfully exploiting this vulnerability.”
Active since mid-2025, RondoDox primarily targets systems operating on Linux, drawing similarities with the Mirai botnet. However, RondoDox’s specific aim is to initiate Denial of Service attacks, which inundate a website or system with excessive internet traffic, ultimately leading to crashes.
VulnCheck’s State of Exploitation 2026 report highlights that cybercriminals are increasingly exploiting outdated technology that companies no longer support with software updates, known as end-of-life devices. Their research indicates that 56 percent of attacked internet edge devices in 2025 were consumer routers, with 65 percent of vulnerabilities leveraged by botnets targeting unsupported technology. This scenario facilitates a concerning trend in the hijacking of home internet routers.
These warnings come in light of recent reports by Hackread.com concerning another RondoDox campaign identified by CloudSEK, wherein the botnet exploited a critical Next.js vulnerability named React2Shell (CVE-2025-55182) to take control of servers without a password.