React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

Posted on By CWS

Key Points

  • Over 1.4 million React2Shell exploitation attempts reported in a week.
  • Unauthenticated RCE vulnerability in React.js version 19.
  • Significant activity observed from two primary IP addresses.

In a concerning development for cybersecurity experts, the React2Shell vulnerability has seen a staggering 1.4 million exploitation attempts in the past week, as reported by GreyNoise. This vulnerability, found in version 19 of the popular JavaScript library React (React.js), is identified as CVE-2025-55182 and carries a CVSS score of 10, indicating its critical severity.

Exploit Details and Impact

The React2Shell flaw allows attackers to execute remote code without authentication by sending a single HTTP POST request. The vulnerability gained significant attention after a Metasploit module was released, facilitating its exploitation. Notably, applications that utilize React Server Components (RSC) may also be affected, even if they do not directly use React Server Function endpoints.

This vulnerability was publicly disclosed in early December, and within two days, both state-sponsored hackers and cybercriminal groups began targeting it. This highlights the urgency for developers and system administrators to address the flaw promptly.

Attack Origins and Methods

GreyNoise has observed over 1,000 IP addresses involved in these exploitation attempts, with two addresses standing out due to their significant activity. The IP 193.142.147[.]209 alone accounted for 488,342 attack sessions, equating to 34% of all activity, primarily focusing on deploying reverse shells to gain interactive access.

Similarly, the IP 87.121.84[.]24 was responsible for 311,484 attack sessions, which is 22% of the total malicious activity. These attacks have been linked to the deployment of XMRig cryptocurrency miners, utilizing two specific staging servers.

Ongoing Threats and Server Activity

One of the staging servers used in these attacks has a history of malicious activity dating back to at least 2020. Adjacent IP addresses are currently implicated in distributing Mirai and Gafgyt malware, further emphasizing the persistent threat environment.

This situation underscores the need for robust cybersecurity measures and vigilance to safeguard against such vulnerabilities and their exploitation by malicious actors.

Conclusion

The React2Shell vulnerability represents a significant threat to systems utilizing affected versions of React.js. With over a million attempts to exploit this flaw, it is imperative for organizations to patch their systems and monitor for suspicious activity. Staying informed and responsive to such vulnerabilities is crucial to maintaining cybersecurity resilience.

Security Week News Tags:, , , , , , , , , , , , ,

Related Posts

Organizations Warned of Vulnerability in Microsoft Exchange Hybrid Deployment Organizations Warned of Vulnerability in Microsoft Exchange Hybrid Deployment Security Week News
Iranian Cyber Group Targets US Organizations Amid Tensions Iranian Cyber Group Targets US Organizations Amid Tensions Security Week News
Plex Urges Password Resets Following Data Breach Plex Urges Password Resets Following Data Breach Security Week News
100,000 Impacted by Cornwell Quality Tools Data Breach  100,000 Impacted by Cornwell Quality Tools Data Breach  Security Week News
Cox Confirms Oracle EBS Hack as Cybercriminals Name 100 Alleged Victims Cox Confirms Oracle EBS Hack as Cybercriminals Name 100 Alleged Victims Security Week News
Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems Security Week News