GreyNoise Reports Concentrated Exploitation of React Server Components RCE (CVE-2025-55182)
GreyNoise telemetry indicates that exploitation of CVE-2025-55182 in React Server Components has shifted from broad, opportunistic scanning to concentrated, high-volume campaigns. The flaw is described as pre-authentication RCE with a CVSS 10.0 and can be triggered via a single malicious HTTP POST request, making exposed development servers (notably on ports 3000–3002 in addition to 80/443) attractive targets. Between Jan 26 and Feb 2, 2026, GreyNoise observed 1,083 unique sources attempting exploitation, but two IPs accounted for 56% of observed activity, suggesting industrialized automation rather than ad-hoc testing.
Reporting attributes 34% of sessions to 193.142.147[.]209, associated with payloads that open reverse shells back to the scanning host (including use of port 12323), indicating intent for interactive access and potential follow-on pivoting. Another 22% is attributed to 87.121.84[.]24, linked to cryptomining activity (e.g., downloading XMRig from staging infrastructure); one cited staging host is 205.185.127[.]97, associated with attacker-controlled domains (e.g., mased[.]top, mercarios[.]buzz) and adjacent subnet activity reportedly distributing Mirai. Separately, GreyNoise also reported a distinct reconnaissance campaign against Citrix NetScaler/Gateway using tens of thousands of residential proxy IPs to enumerate login panels and version artifacts (e.g., /logon/LogonPoint/index.html and /epa/scripts/win/nsepa_setup.exe), which appears to be pre-exploitation mapping and is not directly tied to the React CVE activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
GreyNoise warns exposed, unpatched React systems should be assumed targeted
Following the observed surge in exploitation, GreyNoise warned that organizations running unpatched React Server Components should assume they had been targeted. Defenders were urged to upgrade to fixed React versions or restrict exposure of development ports and unsafe bindings such as 0.0.0.0.
Public Metasploit module released for CVE-2025-55182
A public Metasploit module became available for CVE-2025-55182, enabling pre-authentication RCE via a single malicious HTTP POST request. Its availability increased automation and lowered the barrier to exploitation.
Attackers deploy cryptominers and reverse shells via React flaw
GreyNoise reported that one major campaign used the vulnerability to download and run XMRig cryptomining payloads, while another established reverse shells for interactive control and possible pivoting. The activity targeted common web ports and React development defaults such as ports 3000 through 3002.
GreyNoise observes concentrated exploitation campaigns
Between January 26 and February 2, 2026, GreyNoise telemetry showed exploitation shifting from broad scanning to concentrated, industrial-scale activity. Although 1,083 unique sources probed for the flaw, two IP addresses accounted for 56% of observed malicious sessions.
CVE-2025-55182 disclosed in React Server Components
A critical unauthenticated remote code execution flaw, CVE-2025-55182, affecting multiple React 19.x versions was publicly disclosed. The bug was described as an insecure deserialization issue with maximum severity (CVSS 10.0).
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
React Under Siege: Two IPs Drive 56% of Critical CVE-2025-55182 Attacks
securityonline.info
Open sourceHackers Exploiting React Server Components Vulnerability in the Wild to Deploy Malicious Payloads
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
Mar 21, 2026
React2Shell RCE in React Server Components Drives Mass Server Compromise
Threat actors are actively exploiting **React2Shell**, a critical remote code execution flaw in React Server Components tracked as `CVE-2025-55182`, with related exposure also noted in Next.js as `CVE-2025-66478`. The bug stems from insecure deserialization in the React Server Components Flight protocol and allows unauthenticated attackers to upload malicious payloads and execute arbitrary code on vulnerable internet-facing servers. Public disclosure was quickly followed by advisories, proof-of-concept code, and reports of broad exploitation, while Microsoft and other researchers said hundreds of machines had already been hacked. Follow-on campaigns have been widespread and largely opportunistic, ranging from credential-harvesting operations to malware deployment against organizations in multiple sectors and regions. Cisco Talos-linked reporting said at least **766 servers** were compromised by an automated campaign that stole SSH keys, cloud tokens, API keys, Kubernetes and GitHub credentials, Docker metadata, and other environment secrets, including keys tied to AI platforms and payment services. Other investigations tied exploitation to **XMRig**, **RustoBot**, **Kaiji**, **Sliver**, **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**, along with persistence, reconnaissance, DNS-based exfiltration, and SSH key installation, underscoring how rapidly the vulnerability was weaponized after disclosure.
May 25, 2026
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
Mar 21, 2026