Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (CVE-2025-55182), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors.
Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Kubernetes 1.35 introduced security improvements
During December 2025, Kubernetes version 1.35 was released with security improvements highlighted as part of the month's notable defensive developments.
DDoS attack disrupted French postal and banking services
In December 2025, a distributed denial-of-service attack caused service disruptions affecting French postal and banking services.
European Space Agency disclosed a breach with data theft
In December 2025, the European Space Agency suffered a breach that resulted in significant data theft, although network segmentation reportedly limited the overall impact.
Sysdig identified EtherRAT campaign using Ethereum smart contracts for C2
In December 2025, Sysdig's Threat Research Team identified EtherRAT, a multi-stage malware campaign that used Ethereum smart contracts for command-and-control and exploited React2Shell for access.
React2Shell flaw emerged as a critical remote code execution risk
In December 2025, React2Shell (CVE-2025-55182) in React Server Components was identified as enabling unauthenticated remote code execution, prompting urgent patching and monitoring recommendations.
BRICKSTORM activity targeted Linux cloud environments
In December 2025, the BRICKSTORM backdoor, attributed to China state-sponsored actors, targeted Linux-based cloud environments in critical sectors using advanced evasion and persistence techniques.
MongoBleed vulnerability was actively exploited at scale
During December 2025, attackers actively exploited MongoBleed (CVE-2025-14847), a long-standing MongoDB vulnerability, to leak sensitive data from tens of thousands of exposed instances.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of React2Shell Vulnerability (CVE-2025-55182) in IoT and Web Applications
A critical security vulnerability, React2Shell (CVE-2025-55182), affecting React Server Components and Next.js, has been widely exploited by both state-sponsored and criminal threat actors. The flaw enables unauthenticated remote code execution, making it a prime target for ransomware groups, botnet operators, and espionage campaigns throughout 2025. Notably, the RondoDox botnet leveraged this vulnerability in a persistent nine-month campaign to compromise IoT devices and web applications, enrolling tens of thousands of systems into its network. According to Shadowserver Foundation data, over 84,000 instances remained vulnerable as of early January 2026, with the majority located in the United States. PolySwarm's annual review highlights React2Shell as the year's most significant exploit, noting its rapid weaponization by both nation-state actors and cybercriminals. Ransomware groups such as Cl0p and Qilin used zero-day exploits, including React2Shell, to target enterprises, government, and healthcare sectors. The widespread abuse of this vulnerability underscores the urgent need for organizations to patch affected systems and monitor for signs of compromise, as attackers continue to exploit trusted software components for initial access and lateral movement.
Mar 21, 2026
React2Shell Remote Code Execution Vulnerability in React 19 and Next.js
A critical remote code execution vulnerability, dubbed **React2Shell**, was discovered in the React 19 library, specifically affecting React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code on servers by sending crafted requests, making it a severe risk for organizations using default React and Next.js deployments. Within hours of public disclosure, security firms including Google’s Threat Intelligence Group and AWS confirmed active exploitation in the wild, highlighting the shrinking window between vulnerability awareness and real-world attacks. Researchers from Wiz and Unit 42 demonstrated that even clean, default deployments were susceptible, emphasizing the widespread impact due to the popularity of these frameworks. Threat actors rapidly weaponized the React2Shell vulnerability, with the RondoDoX botnet launching automated exploitation campaigns targeting both web applications and IoT devices. CloudSEK’s analysis of command and control logs revealed a multi-month campaign, with a significant spike in attacks following the vulnerability’s disclosure in December 2025. The RondoDoX botnet deployed various payloads, including web shells and cryptominers, and quickly adapted its infrastructure in response to security firm reports. Organizations with technology stacks overlapping the targeted vectors were promptly alerted, underscoring the urgent need for patching and monitoring in environments using React 19 and Next.js.
Mar 21, 2026
React2Shell RCE in React Server Components Triggers Active Exploitation
A severe remote code execution vulnerability tracked as **`CVE-2025-55182`** was disclosed in **React Server Components** and quickly became known as **React2Shell**, with reporting indicating that exploitation spread soon after public disclosure. Security coverage from eSentire, BitSight, and Computer Weekly described the flaw as affecting React and Next.js environments, warned defenders to assess internet-exposed applications, and noted that attackers were moving from proof-of-concept activity toward broader exploitation. Public GitHub repositories rapidly appeared with exploit code, scanners, and remediation-focused projects, including tools explicitly labeled for **`CVE-2025-55182`** and **React2Shell** detection or exploitation. Repositories such as **`React2Shell-PoC`**, multiple **PoC scanners**, auto-exploit projects, and checkers lowered the barrier to weaponization, while at least one repository advertised fixes for React 19 users. The volume and speed of public tooling indicate that organizations running React Server Components or Next.js services faced immediate pressure to identify exposed systems, apply vendor fixes, and monitor for signs of remote code execution attempts.
May 25, 2026