React2Shell RCE in React Server Components Drives Mass Server Compromise
Threat actors are actively exploiting React2Shell, a critical remote code execution flaw in React Server Components tracked as CVE-2025-55182, with related exposure also noted in Next.js as CVE-2025-66478. The bug stems from insecure deserialization in the React Server Components Flight protocol and allows unauthenticated attackers to upload malicious payloads and execute arbitrary code on vulnerable internet-facing servers. Public disclosure was quickly followed by advisories, proof-of-concept code, and reports of broad exploitation, while Microsoft and other researchers said hundreds of machines had already been hacked.
Follow-on campaigns have been widespread and largely opportunistic, ranging from credential-harvesting operations to malware deployment against organizations in multiple sectors and regions. Cisco Talos-linked reporting said at least 766 servers were compromised by an automated campaign that stole SSH keys, cloud tokens, API keys, Kubernetes and GitHub credentials, Docker metadata, and other environment secrets, including keys tied to AI platforms and payment services. Other investigations tied exploitation to XMRig, RustoBot, Kaiji, Sliver, CrossC2, Tactical RMM, VShell, and EtherRAT, along with persistence, reconnaissance, DNS-based exfiltration, and SSH key installation, underscoring how rapidly the vulnerability was weaponized after disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos links React2Shell to automated credential-harvesting campaign
Cisco Talos reported a widespread automated campaign exploiting internet-facing vulnerable React Server Components instances, attributing activity to UAT-10608. The payload harvested credentials, SSH keys, cloud tokens, API keys, and other secrets, with at least 766 servers compromised across multiple regions.
Threat activity around React2Shell undergoes a significant shift
Reporting in early February 2026 indicated a notable change in how threat actors were exploiting React2Shell. This suggests the campaign evolved beyond its initial exploitation patterns.
Microsoft reports hundreds of machines hacked via React2Shell
By mid-December, Microsoft counted hundreds of compromised machines tied to React2Shell exploitation, indicating the campaign had scaled significantly. This represented a major escalation in observed impact.
Attackers exploit React2Shell against organizations in December 2025
BI.ZONE reported that adversaries exploited React2Shell during December 2025, including attacks on Russian companies in the insurance, e-commerce, and IT sectors. Observed post-exploitation included XMRig, RustoBot, Kaiji, Sliver, CrossC2, Tactical RMM, VShell, EtherRAT, persistence, and DNS-based exfiltration.
Active exploitation of React2Shell is reported
Threat researchers reported that CVE-2025-55182 was being actively exploited in the wild. This established that the vulnerability had moved from disclosure into real-world attacks.
JPCERT/CC issues advisory on React Server Components flaw
JPCERT/CC published an advisory covering CVE-2025-55182 in React Server Components. The advisory reflects formal defender awareness and guidance around the vulnerability.
Proof-of-concept exploit for React2Shell is released on GitHub
A GitHub repository published a proof-of-concept script for CVE-2025-55182, demonstrating exploitation of the React SSR/RSC remote code execution flaw. Public exploit code likely lowered the barrier for attackers to weaponize the bug.
Researchers publish broader technical analysis of React2Shell and related CVEs
A detailed write-up described React2Shell as a critical RCE affecting React Server Components and Next.js, including CVE-2025-55182 and CVE-2025-66478. The publication expanded public technical understanding of the flaw and affected ecosystem.
CVE-2025-55182 vulnerability record is published
A public CVE entry for CVE-2025-55182 appeared, identifying the React Server Components server-side remote code execution issue later dubbed React2Shell. This marks the earliest public disclosure point visible in the references.
Sources
9 references tracked. Mallory keeps watching after this page renders.
React2Shell vulnerability helps hackers steal credentials, AI platform keys and other sensitive data | Cybersecurity Dive
cybersecuritydive.com
Open sourceReact2Shell exploitation undergoes significant change in threat activity | Cybersecurity Dive
cybersecuritydive.com
Open sourceAdversaries exploit CVE-2025-55182 to attack Russian companies | by BI.ZONE | Medium
bi-zone.medium.com
Open sourceReact Server Componentsの脆弱性(CVE-2025-55182)について
jpcert.or.jp
Open sourceReact2Shell: Microsoft counts hundreds of hacked machines
theregister.com
Open sourceReact2Shell (CVE-2025-55182) actively exploited by threat actors - Ctrl-Alt-Intel
ctrlaltintel.com
Open sourceGitHub - Darker-Ink/react-ssr-vulnerability: This is a POC script for CVE-2025-55182 (React SSR RCE) · GitHub
github.com
Open sourceSevere Remote Code Execution Flaw Found in React Server Components | eSentire
esentire.com
Open sourceCVE discovery | HackerOne
hackerone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
React2Shell RCE in React Server Components Triggers Active Exploitation
A severe remote code execution vulnerability tracked as **`CVE-2025-55182`** was disclosed in **React Server Components** and quickly became known as **React2Shell**, with reporting indicating that exploitation spread soon after public disclosure. Security coverage from eSentire, BitSight, and Computer Weekly described the flaw as affecting React and Next.js environments, warned defenders to assess internet-exposed applications, and noted that attackers were moving from proof-of-concept activity toward broader exploitation. Public GitHub repositories rapidly appeared with exploit code, scanners, and remediation-focused projects, including tools explicitly labeled for **`CVE-2025-55182`** and **React2Shell** detection or exploitation. Repositories such as **`React2Shell-PoC`**, multiple **PoC scanners**, auto-exploit projects, and checkers lowered the barrier to weaponization, while at least one repository advertised fixes for React 19 users. The volume and speed of public tooling indicate that organizations running React Server Components or Next.js services faced immediate pressure to identify exposed systems, apply vendor fixes, and monitor for signs of remote code execution attempts.
May 25, 2026
Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting **React2Shell** (**CVE-2025-55182**), a critical remote code execution flaw in the Flight protocol used for client-server communication in **React Server Components**. The issue is attributed to **insecure deserialization** that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the **XMRig** cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed **RustoBot** and **Kaiji**, while other activity distributed malware such as **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**. Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions **19.0**, **19.1.0**, **19.1.1**, and **19.2.0**, with fixes available in **19.0.1**, **19.1.2**, and **19.2.1**. Separate reporting highlighted that attackers leveraged a **public proof-of-concept (PoC)** for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying *Next.js* and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
Apr 9, 2026
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Mar 21, 2026