Attacks targeting the React2Shell vulnerability that was disclosed in December are continuing, with security researchers identifying more than 8,000 unique IP addresses involved in the campaign in the last month. Since the initial disclosure of the flaw on Dec. 3, GreyNoise has seen more than 8.1 million attack sessions, confirming the campaign is a major, ongoing threat.

After a peak of more than 430,000 attack sessions in late December, daily volumes targeting React2Shell have stabilized in the 300,000 to 400,000 range, signaling a persistent and well-resourced operation. React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability in the React Server Components library that quickly became a serious target within days of the initial disclosure. Although much of the early exploit activity was fairly rudimentary, that has changed in the weeks since.

“Cloud infrastructure dominates the source network distribution, with Amazon Web Services alone representing over a third of observed exploitation traffic. The top 15 ASNs comprise roughly 60% of all source IPs,” the GreyNoise analysis says. 

The various attackers behind React2Shell exploitation show continuous iteration and experimentation, having produced more than 70,000 unique payloads. This sheer volume indicates a dedicated effort to bypass existing signature-based defenses. There is a broad and diverse set of tooling being deployed, with 700 unique HTTP client fingerprints and 340 unique TCP stack fingerprints observed by the GreyNoise researchers.

This breadth of attacker infrastructure, which spans more than 8,000 IP addresses across more than 1,000 ASNs, underscores the scope of the challenge for defenders in addressing the React2Shell targeting.

Organizations that have vulnerable React2Shell components should:

  • Patch immediately if they have not yet done so, as this is an active and ongoing campaign.
  • Implement dynamic blocking based on continuously updated threat feeds
  • Monitor for the published fingerprints associated with the campaign.

The sustained volume and consistent attacker evolution mean that the React2Shell campaign should be treated as a primary, non-stop threat with no indications of slowing down.

  • Recent Posts

  • Recent Comments

    No comments to show.