Google has noticed 5 China-linked menace teams exploiting the just lately disclosed React2Shell vulnerability of their assaults.
React2Shell, formally tracked as CVE-2025-55182, impacts methods that use model 19 of the React person interface library, particularly situations with React Server Elements (RSC). Along with React, CVE-2025-55182 may impression lots of purposes that use Subsequent.js, Waku, React Router, or RedwoodSDK.
CVE-2025-55182 is a vital vulnerability that may be exploited for unauthenticated distant code execution through specifically crafted HTTP requests.
React2Shell was disclosed on December 3, and exploitation began on the identical day.
AWS reported that Chinese language menace actors tracked as Earth Lamia and Jackpot Panda had began exploiting the React vulnerability shortly after its public disclosure.
The Google Risk Intelligence Group (GTIG) has additionally monitored the online for React2Shell assaults and over the weekend reported seeing at the very least 5 different totally different China-linked menace teams delivering malware by means of exploitation of the vulnerability.
GTIG tracks Earth Lamia as UNC5454, however it has not shared any data on probably related assaults it could have seen.
As an alternative, GTIG shared a short description of assaults carried out by 5 different teams. One in every of them is the espionage cluster tracked as UNC6600, which has exploited React2Shell to ship a tunneler named Minocat.Commercial. Scroll to proceed studying.
A bunch recognized as UNC6586 has been seen utilizing React2Shell to deploy a downloader named Snowlight, which has been leveraged to ship different payloads disguised as authentic information.
UNC6588 exploited CVE-2025-55182 to obtain a backdoor named Compood, which has usually been utilized by Chinese language hackers in espionage campaigns. Nonetheless, on this case, GTIG was unable to find out the attacker’s objectives.
UNC6603 delivered a backdoor named Hisonic, and UNC6595 deployed a bit of malware tracked as Angryrebel.Linux.
Many menace actors, together with profit-driven cybercriminals, have been noticed exploiting React2Shell to ship a variety of malware.
Whereas exploitation by Chinese language and North Korean menace actors was beforehand reported, Google additionally talked about seeing assaults carried out by Iran-linked teams.
New React vulnerabilities
Because the disclosure of React2Shell, the existence of three different React vulnerabilities has come to mild.
Whereas two of them have been given a ‘excessive severity’ score, they will solely be exploited for denial-of-service (DoS). The problems are tracked as CVE-2025-55184 and CVE-2025-67779.
The third problem, recognized as CVE-2025-55183, is a medium-severity flaw that may result in supply code publicity.
Associated: Notepad++ Patches Updater Flaw After Reviews of Visitors Hijacking
Associated: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw
