Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw in the Flight protocol used for client-server communication in React Server Components. The issue is attributed to insecure deserialization that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the XMRig cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed RustoBot and Kaiji, while other activity distributed malware such as CrossC2, Tactical RMM, VShell, and EtherRAT.
Affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0, with fixes available in 19.0.1, 19.1.2, and 19.2.1. Separate reporting highlighted that attackers leveraged a public proof-of-concept (PoC) for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying Next.js and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
Timeline
Jan 27, 2026
BI.ZONE details active React2Shell exploitation and malware variants
Reporting on active exploitation of CVE-2025-55182 described region-specific payloads, with Russian targets seeing RustoBot and Kaiji and other regions seeing CrossC2/Cobalt Strike, Tactical RMM, VShell, EtherRAT, and Sliver. Researchers also documented persistence via systemd and cron, anti-forensics, and DNS-tunneled exfiltration in some cases.
Jan 27, 2026
Patches released for affected React Server Components packages
Patched releases were made available for vulnerable React Server Components packages affected by CVE-2025-55182, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across several 19.x versions. Despite the fixes, later reporting said exploitation continued against unpatched deployments.
Jan 1, 2026
Darktrace detects World Leaks intrusion at healthcare organization
In January 2026, Darktrace detected a World Leaks intrusion at a healthcare organization involving command-and-control via Cloudflare Tunnel and suspicious external IPs, plus exfiltration to MEGA and Backblaze. The incident was notable because the affiliate both exfiltrated data and encrypted systems, contradicting World Leaks' claimed extortion-only model.
Dec 13, 2025
GTIG links React2Shell exploitation to China- and Iran-nexus actors
Google Threat Intelligence Group reported widespread exploitation of CVE-2025-55182 beginning the previous week, involving multiple espionage and financially motivated clusters. GTIG said China-nexus groups UNC6600 and UNC6603 deployed tools including MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX, noted likely Iran-nexus participation, and published hunting IOCs and mitigation guidance.
Dec 1, 2025
Attackers begin exploiting React2Shell against organizations
Campaigns exploiting CVE-2025-55182 ("React2Shell") were first observed in December 2025, targeting organizations including insurance, e-commerce, and IT entities. Reports describe rapid weaponization after vulnerability details became public and use of payloads such as XMRig, botnets, and remote access tools.
Oct 1, 2025
World Leaks likely compromises healthcare victim via Fortigate
Darktrace said a January 2026 healthcare intrusion linked to World Leaks likely began with the compromise of a Fortigate appliance in October 2025. The attackers then used compromised credentials and later moved through the environment using tools and protocols including PsExec, WinRM, RDP, SMB, and SSH.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
1 months ago
React2Shell Remote Code Execution Vulnerability in React 19 and Next.js
A critical remote code execution vulnerability, dubbed **React2Shell**, was discovered in the React 19 library, specifically affecting React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code on servers by sending crafted requests, making it a severe risk for organizations using default React and Next.js deployments. Within hours of public disclosure, security firms including Google’s Threat Intelligence Group and AWS confirmed active exploitation in the wild, highlighting the shrinking window between vulnerability awareness and real-world attacks. Researchers from Wiz and Unit 42 demonstrated that even clean, default deployments were susceptible, emphasizing the widespread impact due to the popularity of these frameworks. Threat actors rapidly weaponized the React2Shell vulnerability, with the RondoDoX botnet launching automated exploitation campaigns targeting both web applications and IoT devices. CloudSEK’s analysis of command and control logs revealed a multi-month campaign, with a significant spike in attacks following the vulnerability’s disclosure in December 2025. The RondoDoX botnet deployed various payloads, including web shells and cryptominers, and quickly adapted its infrastructure in response to security firm reports. Organizations with technology stacks overlapping the targeted vectors were promptly alerted, underscoring the urgent need for patching and monitoring in environments using React 19 and Next.js.
1 months ago
Exploitation of React2Shell Vulnerability (CVE-2025-55182) in IoT and Web Applications
A critical security vulnerability, React2Shell (CVE-2025-55182), affecting React Server Components and Next.js, has been widely exploited by both state-sponsored and criminal threat actors. The flaw enables unauthenticated remote code execution, making it a prime target for ransomware groups, botnet operators, and espionage campaigns throughout 2025. Notably, the RondoDox botnet leveraged this vulnerability in a persistent nine-month campaign to compromise IoT devices and web applications, enrolling tens of thousands of systems into its network. According to Shadowserver Foundation data, over 84,000 instances remained vulnerable as of early January 2026, with the majority located in the United States. PolySwarm's annual review highlights React2Shell as the year's most significant exploit, noting its rapid weaponization by both nation-state actors and cybercriminals. Ransomware groups such as Cl0p and Qilin used zero-day exploits, including React2Shell, to target enterprises, government, and healthcare sectors. The widespread abuse of this vulnerability underscores the urgent need for organizations to patch affected systems and monitor for signs of compromise, as attackers continue to exploit trusted software components for initial access and lateral movement.
1 months ago