The React2Shell vulnerability (CVE-2025-55182) continues to face a relentless exploitation marketing campaign, with menace actors launching greater than 8.1 million assault periods since its preliminary disclosure.
Based on GreyNoise Remark Grid information, day by day assault volumes have stabilized at 300,000–400,000 periods since peaking above 430,000 in late December, indicating sustained, coordinated exploitation.
Over 8.1 million periods have been seen because the begin.
Scale of the Exploitation Marketing campaign
The marketing campaign’s infrastructure footprint reveals a complicated, distributed operation. Researchers have recognized 8,163 distinctive supply IP addresses spanning 1,071 autonomous methods (ASNs) throughout 101 nations.
This geographic dispersion underscores the vulnerability’s attraction throughout various menace actor ecosystems, from exploitative botnets to superior persistent menace teams. AWS and different main cloud suppliers dominate the assault infrastructure.
Amazon Net Companies alone accounts for over one-third of noticed exploitation visitors, with the highest 15 ASNs comprising roughly 60% of all supply IPs.
This displays attackers’ desire for leveraging reliable cloud infrastructure to masks malicious exercise. Attackers have created over 70,000 distinctive payloads, demonstrating steady experimentation and refinement.
distinctive IPs noticed
Community fingerprint evaluation reveals 700 distinct JA4H hashes (HTTP consumer fingerprints) and 340 distinctive JA4T hashes (TCP stack fingerprints), indicating diversified tooling and supply mechanisms.
Payload Variety and Assault Patterns
Exploitation follows a predictable two-stage method. Preliminary reconnaissance probes validate command execution through easy PowerShell arithmetic operations earlier than continuing to ship an encoded payload.
Stage-two exploits make use of AMSI bypass methods, enabling attackers to execute extra malicious scripts whereas evading antivirus detection.
Organizations stay uncovered if unpatched. Almost 50% of noticed supply IPs have been first noticed after July 2025, indicating a current infrastructure allocation and speedy IP rotation.
Static IP blocklists are inadequate to deal with this marketing campaign’s scale and velocity. Defenders ought to implement dynamic blocking by way of GreyNoise’s repeatedly up to date menace intelligence feeds.
Endpoint monitoring ought to deal with detecting PowerShell execution patterns, encoded instructions, and AMSI modifications through reflection.
Organizations managing uncovered React Server Elements ought to deal with this as an energetic, ongoing menace requiring instant patching and network-level safety.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
