Executive Summary

The React2Shell vulnerability, tracked as CVE-2025-55182, represents a critical unauthenticated remote code execution (RCE) flaw in React Server Components and frameworks such as Next.js. This vulnerability is being actively exploited in the wild, with over 77,000 Internet-exposed IP addresses confirmed as vulnerable and at least 30 organizations already breached. The exploitation campaign is notable for its rapid weaponization by advanced persistent threat (APT) groups, particularly those linked to Chinese state interests. Attackers are leveraging the flaw to gain initial access, deploy sophisticated malware, and conduct credential theft and lateral movement. Immediate patching and comprehensive incident response are imperative for all organizations utilizing affected versions of React and Next.js.

Threat Actor Profile

The exploitation of React2Shell has been attributed to several high-profile Chinese APT groups, including Earth Lamia, Jackpot Panda, and UNC5174/CL-STA-1015. These groups are known for their advanced capabilities in exploiting public-facing applications and for their focus on sectors such as finance, logistics, retail, IT, academia, and government. Their tactics, techniques, and procedures (TTPs) align with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer), T1071 (Application Layer Protocol), and T1078 (Valid Accounts). These actors utilize large-scale anonymization networks to obfuscate their infrastructure and often share command-and-control (C2) resources across campaigns. Their objectives include credential theft, persistent access, and data exfiltration, with a particular emphasis on cloud and SaaS environments.

Technical Analysis of Malware/TTPs

React2Shell (CVE-2025-55182) is a deserialization vulnerability in React Server Components and frameworks such as Next.js. The flaw arises from unsafe deserialization of client-controlled data, allowing an unauthenticated attacker to send a specially crafted HTTP request that triggers arbitrary code execution on the server. The vulnerability affects multiple versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack (19.0.0 through 19.2.0), as well as Next.js versions 15.0.0 up to (but not including) 15.0.5, 15.1.0 up to 15.1.9, 15.2.0 up to 15.2.6, 15.3.0 up to 15.3.6, 15.4.0 up to 15.4.8, 15.5.0 up to 15.5.7, 15.6.0 (including all canary builds), and 16.0.0 up to 16.0.7.

The attack chain typically begins with reconnaissance and exploitation via a single HTTP POST request containing malicious payloads in headers such as next-action or rsc-action-id. Upon successful exploitation, attackers execute PowerShell or shell commands to validate RCE, such as powershell -c "40138*41979". Subsequent stages involve the delivery of base64-encoded PowerShell scripts, which download and execute second-stage payloads from attacker-controlled infrastructure (e.g., 23.235.188.3). Deployed malware includes Cobalt Strike Beacon for post-exploitation and lateral movement, Snowlight as a malware dropper, and Vshell as a persistent backdoor. Attackers also perform reconnaissance commands (whoami, id, reading /etc/passwd) and attempt to access cloud credentials, particularly AWS configuration files.

Network indicators include outbound connections to known malicious IPs, HTTP POST requests with specific headers, and anomalous request bodies containing $@ or "status":"resolved_model". Host-based indicators involve unexpected process creation by Node.js or React application processes, suspicious file writes to /tmp/, and execution of credential theft or enumeration commands.

Exploitation in the Wild

Exploitation of React2Shell began within hours of public disclosure on December 3, 2025, following the release of a proof-of-concept (PoC) by security researcher Maple3142. Mass scanning and exploitation have been observed globally, with 77,664 vulnerable IPs detected, including 23,700 in the United States. Attack traffic has originated from infrastructure in the Netherlands, China, the US, Hong Kong, and other regions, with 181 unique IPs observed conducting exploitation attempts within a 24-hour window (as reported by GreyNoise).

Attackers have demonstrated a high degree of automation and sophistication, rapidly integrating the PoC into their toolchains. Initial access is often established via simple arithmetic PowerShell commands to test for RCE, followed by the deployment of more complex payloads. The use of Cobalt Strike, Snowlight, and Vshell enables attackers to maintain persistence, escalate privileges, and move laterally within compromised environments. There is evidence of targeted credential theft, particularly of AWS credentials, and attempts to exfiltrate sensitive data.

Victimology and Targeting

At least 30 organizations have been confirmed breached, with victims spanning cloud service providers, SaaS platforms, financial institutions, logistics companies, retailers, IT firms, universities, and government agencies. The geographic distribution of victims is global, with significant concentrations in the United States, Latin America, the Middle East, Southeast Asia, and East Asia. The targeting patterns of Earth Lamia and Jackpot Panda suggest a focus on organizations with high-value data and critical infrastructure, as well as those operating in regions of strategic interest to Chinese state actors.

The attackers' objectives include initial access for further exploitation, credential harvesting (especially cloud credentials), establishment of persistent access via backdoors, lateral movement across internal networks, and exfiltration of sensitive data. The use of anonymization networks and shared infrastructure complicates attribution and increases the risk of widespread, opportunistic exploitation.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by React2Shell. Organizations must update React and all affected frameworks, including Next.js, to the latest patched versions as released by the respective vendors. All applications utilizing React Server Components should be rebuilt and redeployed to ensure that patched libraries are in use.

Security teams should review server and application logs for evidence of suspicious PowerShell or shell command execution, particularly commands matching known exploitation patterns. Monitoring for outbound connections to malicious IP addresses such as 23.235.188.3 is critical. Detection of Cobalt Strike, Snowlight, Vshell, or other post-exploitation tools should trigger immediate incident response procedures.

Network monitoring should include inspection for HTTP POST requests with next-action or rsc-action-id headers and anomalous request bodies. Host-based monitoring should focus on unexpected process creation, file writes to /tmp/, and execution of enumeration or credential theft commands.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that US federal agencies patch affected systems by December 26, 2025. Organizations using AWS WAF are advised to enable the AWSManagedRulesKnownBadInputsRuleSet v1.24 or later for interim protection.

Comprehensive incident response should include forensic analysis of potentially compromised systems, credential rotation (especially for cloud and privileged accounts), and review of network and cloud access logs for signs of lateral movement or data exfiltration.

References

BleepingComputer: React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable

AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell

The Hacker News: Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Flaw

SOC Prime: React2Shell Vulnerability Exploitation

GreyNoise: React2Shell Exploitation Observations

CISA KEV Catalog: CVE-2025-55182

NVD: CVE-2025-55182

Palo Alto Networks Unit 42: React2Shell Threat Intelligence

Proof-of-Concept by Maple3142: GitHub/Maple3142

Shadowserver Vulnerability Scanning: Shadowserver

Searchlight Cyber/Assetnote Detection Techniques: Assetnote

Rapid7 React2Shell Blog: Rapid7

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.