Cybersecurity corporations have been seeing a variety of malware being delivered in assaults exploiting the essential React vulnerability dubbed React2Shell.
A researcher found not too long ago that React, the favored open supply library for creating utility consumer interfaces, is affected by a essential vulnerability that may be exploited for unauthenticated distant code execution by way of specifically crafted HTTP requests.
React2Shell, formally tracked as CVE-2025-55182, impacts programs that use React model 19, particularly cases with React Server Elements (RSC). Along with React, CVE-2025-55182 impacts different frameworks, together with Subsequent.js, Waku, React Router, and RedwoodSDK.
React powers hundreds of thousands of internet sites, and it’s utilized by common on-line companies comparable to Airbnb and Netflix.
The Shadowserver Basis initially mentioned it had solely seen roughly 77,000 IP addresses related to susceptible cases, however later reported seeing greater than 165,000 IPs and 644,000 domains “with susceptible code”.
In-the-wild exploitation of React2Shell
AWS reported that Chinese language menace actors have been the primary to use the vulnerability, with assaults beginning shortly after public disclosure. Exploitation quickly surged and dozens of organizations have been reportedly impacted.
A number of main cybersecurity corporations at the moment are observing assault makes an attempt, they usually have detailed the varied forms of payloads delivered by hackers.
A majority of safety companies have seen makes an attempt to ship cryptocurrency miners following the exploitation of React2Shell. Cloud credential theft was additionally extensively noticed. Commercial. Scroll to proceed studying.
Palo Alto Networks has confirmed a report from Sysdig that North Korea-linked menace actors have been exploiting CVE-2025-55182 to ship EtherRAT, a persistent entry implant.
As well as, Palo Alto has seen attackers trying to deploy the BPFDoor Linux backdoor, which was beforehand attributed to a Chinese language state-sponsored menace actor named Pink Menshen and Earth Bluecrow.
The safety agency has additionally noticed supply of commodity malware, Cobalt Strike, dropper scripts, interactive webshells, NoodleRAT, the Auto-color backdoor, and SnowLight and VShell trojans. The trojans have been seen in an preliminary entry dealer marketing campaign linked to China.
Huntress has additionally seen makes an attempt to ship a variety of malware to prospects’ programs.
The corporate has noticed a Linux backdoor named PeerBlight, a reverse proxy tunnel known as CowTunnel, and a post-exploitation implant dubbed ZinFoq. Huntress has additionally seen malware powering the Kaiji botnet being distributed by means of this marketing campaign.
Wiz has been monitoring cloud assaults.
“Most assaults goal internet-facing Subsequent.js purposes and different containerized workloads operating in Kubernetes and managed cloud companies,” the cloud safety large mentioned.
Within the assaults noticed by the corporate, menace actors leveraged React2Shell to steal credentials related to cloud and developer companies, deploy cryptominers in containers, and ship backdoors and Sliver implants.
CISA has added CVE-2025-55182 to its Recognized Exploited Vulnerabilities (KEV) catalog and initially instructed federal companies to handle it by December 26. Nonetheless, following a surge in exploitation, the company up to date the deadline to December 12.
Associated: Google Patches Mysterious Chrome Zero-Day Exploited within the Wild
Associated: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
