Attackers Worldwide are Zeroing In on React2Shell Vulnerability
None
<p>Threat actors of all stripes are descending on the <a href="https://securityboulevard.com/2025/12/exploitation-efforts-against-critical-react2shell-flaw-accelerate/" target="_blank" rel="noopener">React2Shell maximum-severity vulnerability</a> in React Server Components (RSC), with security researchers seeing a torrent of attacks that range from an expanding range of malware being dropped to more nation-state threat groups joining the fray to armies of Mirai-style botnets swarming smart home systems and consumer electronics.</p><p>The attempts to exploit the security flaw – tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-55182" target="_blank" rel="noopener">CVE-2025-55182</a> – are coming from all parts of the world and affecting organizations on a global scale. Researchers with Palo Alto’s Unit 42 found the more than 50 organizations across the United States, Asia, South America, and the Middle East – in sectors ranging from financial services and higher education to technology, government, and telecommunications – have been impacted.</p><p>“Over the past 24 hours, Wiz Research has been tracking rapidly expanding exploitation of CVE-2025-55182 in the wild,” Alon Schindel, vice president of AI and threat research at Wiz, <a href="https://www.linkedin.com/posts/activity-7404544875360108544---cY/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAC2xvMBLPggh7Z3PC8i4V4yQ0JB56a2MlM" target="_blank" rel="noopener">wrote in a LinkedIn post</a>. “We’re now seeing 15+ distinct intrusion clusters. The activity spans everything from opportunistic cryptominers to highly capable post-exploitation frameworks.”</p><p><a href="https://www.bitdefender.com/en-gb/blog/labs/cve-2025-55182-exploitation-hits-the-smart-home" target="_blank" rel="noopener">In a report</a>, Bitsight researchers said that shortly after the React2Shell bug was disclosed last week, the security vendor began detecting large numbers of automated botnet exploitation attempts in its endpoint and network sensors, and that they’re recording more than 150,000 blocked attempts a day on smart home products.</p><p>“Attack attempts were directed at a wide variety of device types, showing the opportunistic nature of such attempts,” they wrote. “The most frequently targeted models included smart plugs, smart phones, NAS devices, surveillance systems, routers, development boards, as well as various makes and models of smart TVs and consumer electronics.”</p><h3><strong>Wide Use, Easy Exploitation</strong></h3><p>React is among the most widely used JavaScript libraries; Wiz researchers said <a href="https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182" target="_blank" rel="noopener">39% of cloud environments</a> contain React or Next.js, one of several frameworks tied to RSC affected by the flaw. That broad use combined with how easy React2Shell can be exploited prompted security pros to warn about the immediate threat from bad actors.</p><p>Hours after React2Shell was disclosed, bad actors linked to Chinese intelligence agencies were seen targeting the vulnerability. Now that threat has grown to other nation-state actors – including those from North Korea – and financially motivated groups.</p><p>Researchers with both <a href="https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html" target="_blank" rel="noopener">Unit 42</a> and <a href="https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks?" target="_blank" rel="noopener">Sysdig</a> saw activity that significantly overlaps with Contagious Interview, a campaign where North Korean bad actors pose as recruiters to install malware onto the systems of people seeking jobs in the tech industry. They noted that the initiative hasn’t been attributed to any group.</p><p>“The observed activity includes EtherRAT,” the Unit 42 researchers wrote. “The [Democratic People’s Republic of Korea] threat actor UNC5342 is reportedly utilizing <a href="https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding" target="_blank" rel="noopener">the EtherHiding technique </a>for malware delivery and cryptocurrency theft. EtherHiding leverages blockchain technology to store and retrieve malicious payloads.”</p><p>They also detected BPFDoor, a Linux backdoor that has been attributed to Red Menshen, which is linked to China’s government, and the Auto-color backdoor across multiple environments.</p><h3><strong>No Time Between Disclosure, Exploitation</strong></h3><p>Mike McGuire, senior security solutions manager at Black Duck, said the use of EtherRAT is telling.</p><p>“The EtherRAT findings show once again that the gap between public disclosure and nation state exploitation is basically zero,” McGuire said. “What stands out is the move away from quick hits like cryptomining toward persistent, stealthy access meant for long-term operations. … The broader takeaway is that attackers will continue to pivot quickly to weaknesses deep in the web application stack. Organizations need to assume these vulnerabilities will be targeted immediately and make sure their patching processes, SBOM [software bill of materials]-driven visibility, and monitoring can keep up.”</p><p>In his note, Wiz’s Schindel wrote that findings by his organization include a Python-based secrets-exfiltration cluster masquerading as miner droppers, a post-exploitation Sliver-based command-and-control (C2) infrastructure, and the emergence of EtherRAT backdoor variants.</p><h3><strong>Payloads and Reconnaissance</strong></h3><p>Bitsight’s researchers wrote that most of the requests found in the malicious traffic they detected were structured payloads meant to download and run malware, though some were reconnaissance probes. Much of the traffic came from a data center in Poland, though other probing originated in the United States, Europe, Asia, and South America, “indicating broad global participation in opportunistic exploitation,” they wrote.</p><p>The payloads included Mirai and Mirai-derived loaders and Rondo cryptominer deployments, they wrote, adding that “both types of campaigns align with typical botnet monetization strategies: distributed denial-of-service capability, further worming, and illicit mining.”</p><p>Threat researchers with Huntress <a href="https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell" target="_blank" rel="noopener">wrote</a> that “attackers have attempted to deploy cryptominer malware, a Linux backdoor we’re tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign.”</p><h3><strong>Attacks from All Over the World</strong></h3><p>Researchers with GreyNoise <a href="https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far" target="_blank" rel="noopener">detected</a> 362 unique IP addresses in the five days after the React2Shell was disclosed that were trying to exploit the flaw, writing that the “attacks originated from a diverse set of geographic locations, spanning multiple countries and networks. This indicates that React2Shell has attracted attention from a wide range of threat actors, from automated botnets to more capable attackers.”</p><p>Overall, Wiz’s Schindel wrote that they saw a “clear divide between commodity miner ecosystems (C3Pool, Kinsing, custom loaders) and more targeted intrusion sets (Sliver, JS-injector, Python exfil, Rondo).”</p><p>In addition, multiple hackers are using anti-forensics techniques, such as timestamp manipulation and log minimization, which he said suggests that the bad actors are experienced and want to evade security protections.</p><h3><strong>Patching Worries</strong></h3><p>The number of proof-of-concept (POC) exploits also is growing, with VulnCheck saying it’s <a href="https://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem">nearing 100</a>.</p><p>Bugcrowd founder Casey Ellis said that “From an attacker perspective, React2Shell is the kind of vulnerability that affords massive opportunity for crime, but that also has a relatively narrow window for exploitation, partly because of public awareness leading to patching, and partly because of competition amongst threat actors.”</p><p>While both the React team and Vercel, the developer of Next.js, have rolled out fixes to protect against the vulnerability. However, Schindel said patching is a concern now, given that half of resources exposed to React2Shell are still unpatched.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/12/attackers-worldwide-are-zeroing-in-on-react2shell-vulnerability/" data-a2a-title="Attackers Worldwide are Zeroing In on React2Shell Vulnerability"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability%2F&linkname=Attackers%20Worldwide%20are%20Zeroing%20In%20on%20React2Shell%20Vulnerability" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability%2F&linkname=Attackers%20Worldwide%20are%20Zeroing%20In%20on%20React2Shell%20Vulnerability" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability%2F&linkname=Attackers%20Worldwide%20are%20Zeroing%20In%20on%20React2Shell%20Vulnerability" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability%2F&linkname=Attackers%20Worldwide%20are%20Zeroing%20In%20on%20React2Shell%20Vulnerability" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability%2F&linkname=Attackers%20Worldwide%20are%20Zeroing%20In%20on%20React2Shell%20Vulnerability" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>