The router currently sitting on a shelf in your home — or plugged into the wall, blinking quietly in the corner — may have been manufactured when the vulnerability now being used against it didn’t yet exist in the public record. That vulnerability has since been patched, updated, documented, and forgotten by everyone except the people who built the botnet that started exploiting it on May 17, 2026.

The botnet is called RondoDox. The flaw is CVE-2018-5999. The target is ASUS routers, specifically older models that were shipped between roughly 2014 and 2019 and that still have millions of active units across home networks worldwide. The CVSS score — the standardized severity rating — is 9.8 out of 10.

If you have an ASUS router that’s more than four or five years old and you haven’t checked its firmware recently, read this now.

The Vulnerability: Bypassing Authentication Without a Password

CVE-2018-5999 is what researchers classify as an unauthenticated configuration update vulnerability. The technical description is dense, but the practical meaning is direct: the ASUS router firmware contained a flaw in how it processed HTTP POST requests to its web management interface. Under normal operation, accessing the management interface requires a username and password. Under this flaw, certain POST requests could be processed — and acted upon — even when authentication had failed.

An attacker who can reach the router’s web management port from the internet can send specially crafted HTTP requests that change the router’s configuration without ever providing valid credentials. They don’t need your Wi-Fi password. They don’t need your admin password. They need a network path to the device and knowledge of the exploit, both of which are trivially available.

ASUS patched this vulnerability in 2018. They released firmware updates. They issued a security advisory. And tens of millions of ASUS routers received those updates automatically, or were updated by users who noticed the notification.

But some were not. Older models reached end-of-life status and stopped receiving automatic updates. Users who bought a router in 2015, found that it worked fine, and never thought about firmware again are still running that 2015 firmware today. And RondoDox found them.

Who Is RondoDox?

RondoDox is not a new operation. The threat actors behind it have been active since mid-2025, and their botnet is distinguished by its aggressive approach to multi-exploit campaigns. Security analysts tracking the group have identified more than 170 CVE associations — the botnet doesn’t target one vulnerability at a time, it runs exploit chains across dozens of known flaws simultaneously, scanning for whichever one lands.

The group focuses primarily on Linux-based systems, which covers the vast majority of home routers, IoT devices, and edge equipment. They have a documented track record of targeting end-of-life devices — hardware that manufacturers no longer support with patches, making it permanently vulnerable to any publicly known flaw.

Their goal in this campaign, as in previous ones, is DDoS capability. Infected routers join a botnet that can be directed to flood target websites or services with traffic, overwhelming them and taking them offline. This capability is rented out — there is an active market for botnet access, measured in requests per second, where clients pay to knock specific targets offline for hours or days at a time.

The May 17 campaign represents RondoDox adding ASUS CVE-2018-5999 to its active exploit arsenal. Reporting from VulnCheck and subsequent coverage from security firms including Trend Micro confirms active exploitation is underway.

Scale: More Than One Million Devices Exposed

There are more than one million ASUS routers with internet-accessible management interfaces. That’s the population that RondoDox’s automated scanning is working through.

ASUS routers are extremely popular in home networks across the United States, Europe, and Asia. Models like the RT-N66U, RT-AC66U, RT-AC68U, and their contemporaries were best-sellers during the mid-2010s. Many are still in service — they work, they provide adequate speeds for most households, and the average consumer has no reason to replace hardware that hasn’t visibly failed.

But “works fine” and “is secure” are not the same thing. A router manufactured in 2015 running firmware from 2017 may route your traffic perfectly well while simultaneously having an exposed management interface that can be compromised in seconds by an automated scanner.

The specific models affected by CVE-2018-5999 include a broad range of ASUS products from that era. ASUS’s security advisory from 2018 covered the remediation, and their current security advisory page documents which product lines have received patches. The problem is the gap between “patch available” and “patch applied.”

What Happens After Your Router Is Compromised

When RondoDox successfully exploits a router, the compromised device doesn’t visibly change. Your internet works. Your devices connect. The router continues to function normally from your perspective.

What changes is what the router is doing on behalf of its new operators.

DDoS participation. The compromised router receives instructions from RondoDox’s command-and-control infrastructure — likely decentralized to make disruption harder — to send traffic floods at designated targets. Your router’s bandwidth and processing capacity are directed at someone else’s target, on someone else’s schedule.

Persistence. RondoDox is known for installing persistent backdoors that survive firmware updates in some configurations. This means a router that appears to have been cleaned may still be infected if the removal isn’t done correctly — specifically through a full factory reset rather than just a firmware update.

Proxy routing. Compromised routers can be used to route traffic that obscures the true origin of attacks, credential-stuffing campaigns, or reconnaissance, making attribution harder for defenders and investigators.

Lateral movement. Once on the router, attackers have visibility into the devices behind it. Smart home hubs, computers, NAS drives, and other networked equipment become potential targets for further compromise.

The last point is worth sitting with. Your router is the gateway through which all traffic on your home network passes. An attacker who controls your router controls the network perimeter of your home. They can intercept traffic, inject content, redirect connections, and monitor communication patterns. That’s not a theoretical risk once the router is compromised — it’s a structural reality of what a router does.

How to Know If Your ASUS Router Is Affected

Check your model and firmware version. ASUS routers typically display the model number on the device itself and in the web management interface (usually accessible at 192.168.1.1 or router.asus.com). The ASUS security advisory for CVE-2018-5999 lists the affected models and the minimum firmware versions that contain the fix.

Check when you last updated. In the ASUS management interface, go to Administration > Firmware Upgrade. If your firmware version predates 2018, or if you haven’t updated in several years, you’re likely vulnerable.

Check if your management interface is exposed to the internet. By default, ASUS routers should not have their web management interface accessible from the WAN (the internet-facing side). This is configurable in Advanced Settings > Administration > System > Enable Web Access from WAN. If this is enabled, your router is directly accessible from the open internet — which is the attack surface RondoDox is targeting.

What To Do

Update your firmware immediately. Log into your ASUS router’s management interface, go to Administration > Firmware Upgrade, and check for available updates. If your router model is current and supported, apply the latest firmware.

If your router is end-of-life: ASUS has a published list of products no longer receiving security updates. If your model is on that list, a firmware update will not protect you because no new firmware exists. The security decision at that point is clear: the device should be replaced.

Disable remote management. Unless you specifically need to access your router’s management interface from outside your home network, disable WAN-facing web access. This removes the attack surface that RondoDox is targeting, even if your firmware remains unpatched.

Perform a factory reset if you suspect compromise. A firmware update alone may not remove a RondoDox infection if the malware has achieved persistence through methods that survive updates. A factory reset returns the device to a clean state. After resetting, apply the latest firmware before reconnecting devices or restoring settings.

Isolate IoT devices. Regardless of whether your router has been compromised, placing smart home devices — cameras, thermostats, smart speakers, doorbells — on a separate network segment from your computers and phones limits what an attacker can access if any single device is compromised. Most ASUS routers support guest networks, which provide basic segmentation.

Replace old hardware. A router that was manufactured in 2015 was designed with the threat landscape of 2015 in mind. The hardware security assumptions built into that device — the capabilities of its processor, the security of its boot chain, the robustness of its update mechanism — are all from a different era. Replacing aging network hardware isn’t paranoia. It’s maintenance.

The Larger Pattern

CVE-2018-5999 was published in 2018. It was patched in 2018. It is currently being exploited at scale in 2026 — eight years later — because millions of devices that were affected by it never received the fix.

This is the central reality of consumer IoT security: vulnerabilities persist not because they’re impossible to fix, but because the ecosystem for delivering fixes to devices in people’s homes is broken. Manufacturers patch, users don’t update, devices remain in service for years or decades past their security-relevant lifespan, and the result is a permanent reservoir of exploitable infrastructure.

RondoDox exploiting a 2018 vulnerability in 2026 isn’t exceptional. It’s predictable. Security researchers have been warning for years that the backlog of unpatched consumer IoT devices represents a compounding liability — each year of non-update is another year of potential compromise, and botnets are perfectly content to work through that backlog methodically.

The RondoDox campaign is one data point in a much longer trend. Your router is older than you think, less patched than you assume, and more exposed than you’d like. The gap between those facts and the current threat is where things like this happen.

Check your firmware. Disable remote management. And if your router predates the Trump administration’s first term, it may be time to replace it.