React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

Posted on By CWS

Key Points

  • Over 1.4 million React2Shell exploitation attempts reported in a week.
  • Unauthenticated RCE vulnerability in React.js version 19.
  • Significant activity observed from two primary IP addresses.

In a concerning development for cybersecurity experts, the React2Shell vulnerability has seen a staggering 1.4 million exploitation attempts in the past week, as reported by GreyNoise. This vulnerability, found in version 19 of the popular JavaScript library React (React.js), is identified as CVE-2025-55182 and carries a CVSS score of 10, indicating its critical severity.

Exploit Details and Impact

The React2Shell flaw allows attackers to execute remote code without authentication by sending a single HTTP POST request. The vulnerability gained significant attention after a Metasploit module was released, facilitating its exploitation. Notably, applications that utilize React Server Components (RSC) may also be affected, even if they do not directly use React Server Function endpoints.

This vulnerability was publicly disclosed in early December, and within two days, both state-sponsored hackers and cybercriminal groups began targeting it. This highlights the urgency for developers and system administrators to address the flaw promptly.

Attack Origins and Methods

GreyNoise has observed over 1,000 IP addresses involved in these exploitation attempts, with two addresses standing out due to their significant activity. The IP 193.142.147[.]209 alone accounted for 488,342 attack sessions, equating to 34% of all activity, primarily focusing on deploying reverse shells to gain interactive access.

Similarly, the IP 87.121.84[.]24 was responsible for 311,484 attack sessions, which is 22% of the total malicious activity. These attacks have been linked to the deployment of XMRig cryptocurrency miners, utilizing two specific staging servers.

Ongoing Threats and Server Activity

One of the staging servers used in these attacks has a history of malicious activity dating back to at least 2020. Adjacent IP addresses are currently implicated in distributing Mirai and Gafgyt malware, further emphasizing the persistent threat environment.

This situation underscores the need for robust cybersecurity measures and vigilance to safeguard against such vulnerabilities and their exploitation by malicious actors.

Conclusion

The React2Shell vulnerability represents a significant threat to systems utilizing affected versions of React.js. With over a million attempts to exploit this flaw, it is imperative for organizations to patch their systems and monitor for suspicious activity. Staying informed and responsive to such vulnerabilities is crucial to maintaining cybersecurity resilience.

Security Week News Tags:, , , , , , , , , , , , ,

Related Posts

In Other News: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Data Breach In Other News: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Data Breach Security Week News
SystemBC Botnet Survives Takedown, Infects 10,000 Devices SystemBC Botnet Survives Takedown, Infects 10,000 Devices Security Week News
Cybereason Acquired by MSSP Giant LevelBlue Cybereason Acquired by MSSP Giant LevelBlue Security Week News
ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact Security Week News
Man Who Hacked Organizations to Advertise Security Services Pleads Guilty Man Who Hacked Organizations to Advertise Security Services Pleads Guilty Security Week News
Google Pays 0,000 in Rewards for Two Chrome Vulnerabilities Google Pays $100,000 in Rewards for Two Chrome Vulnerabilities Security Week News