Botnet Operators Exploit Long-Standing Flaw in Asus Routers
Date: May 22, 2026
Author: Greg Sirico
The landscape of cybersecurity has recently been shaken by the revelation that operators of the RondoDox botnet have successfully exploited a critical vulnerability that has lingered for nearly a decade in Asus routers. This flaw allows unauthenticated attackers to gain remote code execution rights as root users, posing significant threats to the security of numerous networks.
According to cybersecurity researchers at VulnCheck, the exploitation of this vulnerability—designated as CVE-2018-5999—was observed in real-world attacks starting May 17, 2026. This flaw possesses a critical CVSS score of 9.8, underscoring the severity of the issue. The RondoDox botnet, initially identified in mid-2025, is particularly notable for its targeting of Linux-based systems and is thought to be a variant of the highly notorious Mirai botnet. Unlike Mirai, which has capabilities that extend beyond simple denial-of-service (DoS) attacks—allowing it to scan and compromise other systems—RondoDox is specialized in executing DoS attacks solely.
In a March blog post by Bitsight, the distinct operations of RondoDox were outlined. The botnet employs multi-stage attack chains that focus on mass exploitation of devices, especially targeting those that have reached the end of their life cycle, including various Internet of Things (IoT) devices. The researchers report that RondoDox systematically scans for exposed devices to exploit a range of vulnerabilities, including numerous embedded Critical Vulnerabilities and Exposures (CVEs), often chaining these flaws together before delivering a malware payload connected to its command-and-control infrastructure.
VulnCheck’s CTO, Jacob Baines, noted on LinkedIn that while public exploits for the Asus vulnerability have been available since 2018, this marks the first time that the vulnerability has been seen in active exploits in the wild. He remarked that the lack of previously observed exploitation could change the perception of vulnerability management as some might have erroneously considered the risk diminished because it had not yet been exploited.
The RondoDox botnet is characterized by its extensive use of various exploits; reports suggest that analyses have tracked its association with CVEs into the 170s. This indicates a broad operational capability, and Baines expressed that the use of older vulnerabilities is typical for this botnet. By employing a range of vulnerabilities, RondoDox ensures its effectiveness and longevity, continuously adapting to both the technological landscape and the protective measures implemented by potential targets.
Interestingly, the threat actors harnessing RondoDox appear to monitor vulnerability disclosures closely, seeking opportunities to exploit newly published vulnerabilities associated with consumer technologies before they are widely addressed. This approach to vulnerability exploitation allows RondoDox to maintain a persistent presence on compromised networks. Their operational infrastructure reportedly includes "compromised residential IPs," which leverages older vulnerabilities that can be found in many "widely deployed, largely end-of-life consumer routers."
In a statement regarding the prevalence of the Asus routers susceptible to this exploit, Baines emphasized the scale of potential impact. He estimated that there are over 1 million Asus routers actively operating online, providing a fertile ground for the RondoDox botnet to execute its malicious exploits. The sheer number of vulnerable devices significantly amplifies the threat posed by this botnet, as they can potentially compromise countless networks prior to any mitigations being implemented.
This unprecedented exploitation of a long-known flaw serves as a stark reminder of the importance of maintaining up-to-date security practices and awareness of existing vulnerabilities, particularly in consumer technology. Stakeholders in both IT security and consumer technology sectors are urged to take immediate action, updating their systems and taking preventive measures to mitigate risks posed by such evolving threats. As this situation unfolds, it underscores the ongoing need for vigilance and adaptability in the fight against cybersecurity threats.