React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

Posted on By CWS

Key Points

  • Over 1.4 million React2Shell exploitation attempts reported in a week.
  • Unauthenticated RCE vulnerability in React.js version 19.
  • Significant activity observed from two primary IP addresses.

In a concerning development for cybersecurity experts, the React2Shell vulnerability has seen a staggering 1.4 million exploitation attempts in the past week, as reported by GreyNoise. This vulnerability, found in version 19 of the popular JavaScript library React (React.js), is identified as CVE-2025-55182 and carries a CVSS score of 10, indicating its critical severity.

Exploit Details and Impact

The React2Shell flaw allows attackers to execute remote code without authentication by sending a single HTTP POST request. The vulnerability gained significant attention after a Metasploit module was released, facilitating its exploitation. Notably, applications that utilize React Server Components (RSC) may also be affected, even if they do not directly use React Server Function endpoints.

This vulnerability was publicly disclosed in early December, and within two days, both state-sponsored hackers and cybercriminal groups began targeting it. This highlights the urgency for developers and system administrators to address the flaw promptly.

Attack Origins and Methods

GreyNoise has observed over 1,000 IP addresses involved in these exploitation attempts, with two addresses standing out due to their significant activity. The IP 193.142.147[.]209 alone accounted for 488,342 attack sessions, equating to 34% of all activity, primarily focusing on deploying reverse shells to gain interactive access.

Similarly, the IP 87.121.84[.]24 was responsible for 311,484 attack sessions, which is 22% of the total malicious activity. These attacks have been linked to the deployment of XMRig cryptocurrency miners, utilizing two specific staging servers.

Ongoing Threats and Server Activity

One of the staging servers used in these attacks has a history of malicious activity dating back to at least 2020. Adjacent IP addresses are currently implicated in distributing Mirai and Gafgyt malware, further emphasizing the persistent threat environment.

This situation underscores the need for robust cybersecurity measures and vigilance to safeguard against such vulnerabilities and their exploitation by malicious actors.

Conclusion

The React2Shell vulnerability represents a significant threat to systems utilizing affected versions of React.js. With over a million attempts to exploit this flaw, it is imperative for organizations to patch their systems and monitor for suspicious activity. Staying informed and responsive to such vulnerabilities is crucial to maintaining cybersecurity resilience.

Security Week News Tags:, , , , , , , , , , , , ,

Related Posts

Upwind Raises 0 Million at .5 Billion Valuation Upwind Raises $250 Million at $1.5 Billion Valuation Security Week News
Critical HPE OneView Vulnerability Exploited in Attacks Critical HPE OneView Vulnerability Exploited in Attacks Security Week News
Chrome 142 Update Patches Exploited Zero-Day Chrome 142 Update Patches Exploited Zero-Day Security Week News
CISO Conversations: John ‘Four’ Flynn, VP of Security at Google DeepMind CISO Conversations: John ‘Four’ Flynn, VP of Security at Google DeepMind Security Week News
Google’s B Wiz Acquisition Gets EU Nod Google’s $32B Wiz Acquisition Gets EU Nod Security Week News
Possible Zero-Day Patched in SonicWall SMA Appliances Possible Zero-Day Patched in SonicWall SMA Appliances Security Week News