GreyNoise Reports Concentrated Exploitation of React Server Components RCE (CVE-2025-55182)
GreyNoise telemetry indicates that exploitation of CVE-2025-55182 in React Server Components has shifted from broad, opportunistic scanning to concentrated, high-volume campaigns. The flaw is described as pre-authentication RCE with a CVSS 10.0 and can be triggered via a single malicious HTTP POST request, making exposed development servers (notably on ports 3000–3002 in addition to 80/443) attractive targets. Between Jan 26 and Feb 2, 2026, GreyNoise observed 1,083 unique sources attempting exploitation, but two IPs accounted for 56% of observed activity, suggesting industrialized automation rather than ad-hoc testing.
Reporting attributes 34% of sessions to 193.142.147[.]209, associated with payloads that open reverse shells back to the scanning host (including use of port 12323), indicating intent for interactive access and potential follow-on pivoting. Another 22% is attributed to 87.121.84[.]24, linked to cryptomining activity (e.g., downloading XMRig from staging infrastructure); one cited staging host is 205.185.127[.]97, associated with attacker-controlled domains (e.g., mased[.]top, mercarios[.]buzz) and adjacent subnet activity reportedly distributing Mirai. Separately, GreyNoise also reported a distinct reconnaissance campaign against Citrix NetScaler/Gateway using tens of thousands of residential proxy IPs to enumerate login panels and version artifacts (e.g., /logon/LogonPoint/index.html and /epa/scripts/win/nsepa_setup.exe), which appears to be pre-exploitation mapping and is not directly tied to the React CVE activity.
Sources
Related Stories
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
1 months ago
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
1 months ago
Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting **React2Shell** (**CVE-2025-55182**), a critical remote code execution flaw in the Flight protocol used for client-server communication in **React Server Components**. The issue is attributed to **insecure deserialization** that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the **XMRig** cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed **RustoBot** and **Kaiji**, while other activity distributed malware such as **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**. Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions **19.0**, **19.1.0**, **19.1.1**, and **19.2.0**, with fixes available in **19.0.1**, **19.1.2**, and **19.2.1**. Separate reporting highlighted that attackers leveraged a **public proof-of-concept (PoC)** for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying *Next.js* and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
1 months ago