Cybersecurity researchers have uncovered a nine-month campaign where the RondoDox botnet exploited the critical React2Shell vulnerability (CVE-2025-55182) to hijack IoT devices and web servers, deploying malware, cryptocurrency miners, and Mirai variants, with the threat still active as of December 2025. Organizations are urged to update vulnerable software, segment IoT devices, and enhance monitoring to prevent infection.
Sophos X-Ops is tracking a wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations, with attackers deploying malware to servers and workstations. ConnectWise has released a security advisory highlighting two critical vulnerabilities, urging immediate patching to version 23.9.8. Cloud-hosted implementations have received updates, but self-hosted instances remain at risk until manually upgraded. Sophos observed active exploitation in the wild, including attacks involving LockBit ransomware and other malware. Recommendations include confirming deployment type, scanning for unpatched instances, and implementing security measures. Sophos also provides detection and protection rules, as well as incident response guidance for organizations to mitigate risks and investigate potential incidents.
