Cybersecurity firm VulnCheck’s latest research reveals that cybercriminals are now targeting old models of ASUS routers by exploiting a software vulnerability from 2018, tracked as CVE-2018-5999. This is a critical unauthenticated configuration update vulnerability with a CVSS score of 9.8/10 that lets hackers change the settings of the router without needing a password.
The attacks were discovered by the firm’s specialised system called VulnCheck Canary Network. Further probing revealed that a botnet (network of infected devices running the malware payload) named RondoDox botnet is behind these attacks, and those operating it started exploiting the vulnerability on May 17. Following these findings, the vulnerability has been added to the company’s Known Exploited Vulnerabilities catalogue.
As per the research findings, shared with Hackread.com, the attack pattern relies on a specific mechanism where the attackers send data payloads to set the ateCommand_flag setting to 1. This change prompts the router’s internal system interface, called infosvr, to open up and accept unauthorised configuration changes from the outside.
VulnCheck’s Initial Access team tested this method and successfully used the vulnerability to change the admin password of a router. What’s more troubling is that even though code to abuse this vulnerability has been public since 2018, hackers had not used it in the real world until now.
Jacob Baines, the Chief Technology Officer at VulnCheck, explained the situation in a LinkedIn post, noting that “RondoDox is well known for implementing a ton of exploits. Some analyses have tracked its CVE associations well into the 170s, so it’s not surprising or new that they’re using older ones too.”
The problem is huge because these devices are everywhere. ASUS routers are made in Taiwan and China and are very popular in homes. Baines added: “There are a ton of ASUS routers online, more than 1 million, so it’s very conceivable that this is working for RondoDox.”
RondoDox operators have been active since mid-2025, and mostly attack systems running Linux software, much like another botnet operator called Mirai. However, RondoDox is focused on a specific goal of starting Denial of Service attacks. These attacks flood a website or system with too much internet traffic until it crashes.
According to VulnCheck’s State of Exploitation 2026 report findings on edge device vulnerabilities, cybercriminals look for old tech that companies don’t support with software updates anymore, technically called end-of-life devices.
VulnCheck found that 56 percent of attacked internet edge devices in 2025 were consumer routers. Also, 65 percent of vulnerabilities used by botnets were on unsupported tech. This makes it easy for scammers to take over home internet routers.
This warning follows recent coverage by Hackread.com on another RondoDox campaign reported by CloudSEK, where the botnet targeted smart cameras and websites by exploiting a critical Next.js vulnerability called React2Shell (CVE-2025-55182) to hijack servers without a password.
