Dec 12, 2025Ravie LakshmananVulnerability / Menace Intelligence
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has urged federal businesses to patch the current React2Shell vulnerability by December 12, 2025, amid experiences of widespread exploitation.
The essential vulnerability, tracked as CVE-2025-55182 (CVSS rating: 10.0), impacts the React Server Parts (RSC) Flight protocol. The underlying reason behind the problem is an unsafe deserialization that permits an attacker to inject malicious logic that the server executes in a privileged context. It additionally impacts different frameworks, together with Subsequent.js, Waku, Vite, React Router, and RedwoodSDK.
“A single, specifically crafted HTTP request is ample; there is no such thing as a authentication requirement, consumer interplay, or elevated permissions concerned,” Cloudforce One, Cloudflare’s risk intelligence crew, mentioned. “As soon as profitable, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, the shortcoming has been exploited by a number of risk actors in varied campaigns to have interaction in reconnaissance efforts and ship a variety of malware households.
The event prompted CISA so as to add it to its Identified Exploited Vulnerabilities catalog final Friday, giving federal businesses till December 26 to use the fixes. The deadline has since been revised to December 12, 2025, a sign of the severity of the incident.
Cloud safety firm Wiz mentioned it has noticed a “fast wave of opportunistic exploitation” of the flaw, with a overwhelming majority of the assaults focusing on internet-facing Subsequent.js functions and different containerized workloads working in Kubernetes and managed cloud companies.
Picture Supply: Cloudflare
Cloudflare, which can be monitoring ongoing exploitation exercise, mentioned risk actors have carried out searches utilizing internet-wide scanning and asset discovery platforms to search out uncovered techniques working React and Subsequent.js functions. Notably, a number of the reconnaissance efforts have excluded Chinese language IP deal with areas from their searches.
“Their highest-density probing occurred in opposition to networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – areas incessantly related to geopolitical intelligence assortment priorities,” the online infrastructure firm mentioned.
The noticed exercise can be mentioned to have focused, albeit extra selectively, authorities (.gov) web sites, tutorial analysis establishments, and significant‑infrastructure operators. This included a nationwide authority answerable for the import and export of uranium, uncommon metals, and nuclear gasoline.
Among the different notable findings are listed under –
Prioritizing excessive‑sensitivity know-how targets reminiscent of enterprise password managers and safe‑vault companies, doubtless with the purpose of perpetrating provide chain assaults
Concentrating on edge‑going through SSL VPN home equipment whose administrative interfaces might incorporate React-based elements
Early scanning and exploitation makes an attempt originated from IP addresses beforehand related to Asia-affiliated risk clusters
In its personal evaluation of honeypot information, Kaspersky mentioned it recorded over 35,000 exploitation makes an attempt on a single day on December 10, 2025, with the attackers first probing the system by working instructions like whoami, earlier than dropping cryptocurrency miners or botnet malware households like Mirai/Gafgyt variants and RondoDox.
Safety researcher Rakesh Krishnan has additionally found an open listing hosted on “154.61.77[.]105:8082” that features a proof-of-concept (PoC) exploit script for CVE-2025–55182 together with two different information –
“domains.txt,” which comprises an inventory of 35,423 domains
“next_target.txt,” which comprises an inventory of 596 URLs, together with firms like Dia Browser, Starbucks, Porsche, and Lululemon
It has been assessed that the unidentified risk actor is actively scanning the web primarily based on targets added to the second file, infecting tons of of pages within the course of.
In keeping with the newest information from The Shadowserver Basis, there are greater than 137,200 internet-exposed IP addresses working susceptible code as of December 11, 2025. Of those, over 88,900 situations are positioned within the U.S., adopted by Germany (10,900), France (5,500), and India (3,600).
