Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw in the Flight protocol used for client-server communication in React Server Components. The issue is attributed to insecure deserialization that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the XMRig cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed RustoBot and Kaiji, while other activity distributed malware such as CrossC2, Tactical RMM, VShell, and EtherRAT.
Affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0, with fixes available in 19.0.1, 19.1.2, and 19.2.1. Separate reporting highlighted that attackers leveraged a public proof-of-concept (PoC) for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying Next.js and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
BI.ZONE details active React2Shell exploitation and malware variants
Reporting on active exploitation of CVE-2025-55182 described region-specific payloads, with Russian targets seeing RustoBot and Kaiji and other regions seeing CrossC2/Cobalt Strike, Tactical RMM, VShell, EtherRAT, and Sliver. Researchers also documented persistence via systemd and cron, anti-forensics, and DNS-tunneled exfiltration in some cases.
Patches released for affected React Server Components packages
Patched releases were made available for vulnerable React Server Components packages affected by CVE-2025-55182, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across several 19.x versions. Despite the fixes, later reporting said exploitation continued against unpatched deployments.
Darktrace detects World Leaks intrusion at healthcare organization
In January 2026, Darktrace detected a World Leaks intrusion at a healthcare organization involving command-and-control via Cloudflare Tunnel and suspicious external IPs, plus exfiltration to MEGA and Backblaze. The incident was notable because the affiliate both exfiltrated data and encrypted systems, contradicting World Leaks' claimed extortion-only model.
GTIG links React2Shell exploitation to China- and Iran-nexus actors
Google Threat Intelligence Group reported widespread exploitation of CVE-2025-55182 beginning the previous week, involving multiple espionage and financially motivated clusters. GTIG said China-nexus groups UNC6600 and UNC6603 deployed tools including MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX, noted likely Iran-nexus participation, and published hunting IOCs and mitigation guidance.
Attackers begin exploiting React2Shell against organizations
Campaigns exploiting CVE-2025-55182 ("React2Shell") were first observed in December 2025, targeting organizations including insurance, e-commerce, and IT entities. Reports describe rapid weaponization after vulnerability details became public and use of payloads such as XMRig, botnets, and remote access tools.
World Leaks likely compromises healthcare victim via Fortigate
Darktrace said a January 2026 healthcare intrusion linked to World Leaks likely began with the compromise of a Fortigate appliance in October 2025. The attackers then used compromised credentials and later moved through the environment using tools and protocols including PsExec, WinRM, RDP, SMB, and SSH.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
React2Shell Vulnerability CVE-2025-55182 Actively Exploited
thecyberexpress.com
Open sourceAttackers Exploiting React2Shell Vulnerability to Attack IT Sectors
cybersecuritynews.com
Open sourceThe case for publishing proof-of-concept code in an AI world | SC Media
scworld.com
Open sourceMultiple Threat Actors Race to Exploit React2Shell Across Espionage and Criminal Operations - Austin Larsen
austinlarsen.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
React2Shell RCE in React Server Components Drives Mass Server Compromise
Threat actors are actively exploiting **React2Shell**, a critical remote code execution flaw in React Server Components tracked as `CVE-2025-55182`, with related exposure also noted in Next.js as `CVE-2025-66478`. The bug stems from insecure deserialization in the React Server Components Flight protocol and allows unauthenticated attackers to upload malicious payloads and execute arbitrary code on vulnerable internet-facing servers. Public disclosure was quickly followed by advisories, proof-of-concept code, and reports of broad exploitation, while Microsoft and other researchers said hundreds of machines had already been hacked. Follow-on campaigns have been widespread and largely opportunistic, ranging from credential-harvesting operations to malware deployment against organizations in multiple sectors and regions. Cisco Talos-linked reporting said at least **766 servers** were compromised by an automated campaign that stole SSH keys, cloud tokens, API keys, Kubernetes and GitHub credentials, Docker metadata, and other environment secrets, including keys tied to AI platforms and payment services. Other investigations tied exploitation to **XMRig**, **RustoBot**, **Kaiji**, **Sliver**, **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**, along with persistence, reconnaissance, DNS-based exfiltration, and SSH key installation, underscoring how rapidly the vulnerability was weaponized after disclosure.
May 25, 2026
React2Shell RCE in React Server Components Triggers Active Exploitation
A severe remote code execution vulnerability tracked as **`CVE-2025-55182`** was disclosed in **React Server Components** and quickly became known as **React2Shell**, with reporting indicating that exploitation spread soon after public disclosure. Security coverage from eSentire, BitSight, and Computer Weekly described the flaw as affecting React and Next.js environments, warned defenders to assess internet-exposed applications, and noted that attackers were moving from proof-of-concept activity toward broader exploitation. Public GitHub repositories rapidly appeared with exploit code, scanners, and remediation-focused projects, including tools explicitly labeled for **`CVE-2025-55182`** and **React2Shell** detection or exploitation. Repositories such as **`React2Shell-PoC`**, multiple **PoC scanners**, auto-exploit projects, and checkers lowered the barrier to weaponization, while at least one repository advertised fixes for React 19 users. The volume and speed of public tooling indicate that organizations running React Server Components or Next.js services faced immediate pressure to identify exposed systems, apply vendor fixes, and monitor for signs of remote code execution attempts.
May 25, 2026
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Mar 21, 2026