What’s Happening

Once exploited, attackers frequently deploy the XMRig cryptocurrency miner and establish reverse shells — giving hands-on access to compromised systems.

Over 1.4 million exploitation attempts targeting React2Shell were observed in the past week by GreyNoise threat intelligence.

Two malicious IP addresses alone accounted for the majority of these attempts, with nearly 35% tied to interactive reverse shell payloads.

About React2Shell (CVE-2025-55182)

The root of this campaign is a severe unauthenticated remote code execution (RCE) flaw in the React Server Components stack. An attacker can trigger the vulnerability with a single malicious HTTP POST request, leading to arbitrary server-side code execution.

• It affects React versions 19.0.0 through 19.2.0 and dependent frameworks like Next.js.
• The flaw stems from unsafe deserialization within the RSC “Flight” protocol, which allows crafted payloads to execute arbitrary JavaScript.

Who’s Targeting It

• Both opportunistic cybercrime actors and state-linked threat groups have been observed in the wild exploiting this flaw.
• Campaigns include deployment of cryptominers, reverse shells, and other malware families tailored for persistence, network pivoting, and data theft.

Broader Exploitation Trends

React2Shell exploitation has also been tied to:

• Various Linux backdoors (e.g., PeerBlight) and reverse proxy tunnels.
• Widespread automated scanning and exploitation across sectors and geographies shortly after the public disclosure in early December 2025.
  
  Risk and Impact
• Unauthenticated access: No credentials are needed to trigger the exploit.
• Remote Code Execution: Attackers can run any code with the precautions of the process owner.
• Post-exploitation control: Reverse shells allow attackers to explore compromised environments interactively.

Urgent Defensive Recommendations

Patch and Update

• Immediately update React and any frameworks leveraging React Server Components to the fixed versions (e.g., 19.0.1, 19.1.2, 19.2.1 or later).

Network Hardening

• Deploy Web Application Firewall (WAF) rules to detect/block exploitation attempts against the vulnerable endpoints.
• Review server logs for unusual POST requests or outbound connections to suspicious staging servers.

Threat Hunting

• Look for signs of reverse shells, unexpected binaries (like cryptominers), and persistence hooks such as new services or cron jobs.
• Audit servers for presence of unexpected tools, particularly those that enable interactive access.

Bottom Line

The React2Shell vulnerability remains one of the most widely abused RCE flaws in recent months. Despite patches being available, large volumes of automated exploitation continue, making it critical for organizations using React Server Components or related stacks to patch immediately and validate remediation.

Source