Ethical Hacking News
Critical Vulnerability in React Server Components Exploited by Multiple Threat Actors
---------------------------------------------
A critical unauthenticated remote code execution (RCE) vulnerability in React Server Components has been exploited by multiple threat actors, including China-nexus espionage groups and financially motivated attackers. This article provides detailed information on the observed exploitation chains and post-compromise behaviors, as well as recommendations for mitigating this threat.
In this global threat landscape, organizations utilizing React or Next.js are at risk of exploitation by both opportunistic cybercrime actors and suspected espionage groups. The use of React Server Components in popular frameworks like Next.js has resulted in a significant number of exposed systems vulnerable to this issue. Exploitation potential is further increased by two factors: 1) there are a variety of valid payload formats and techniques, and 2) the mere presence of vulnerable packages on systems is often enough to permit exploitation.
This article aims to provide organizations with actionable intelligence on the observed exploitation chains and post-compromise behaviors, as well as recommendations for mitigating this threat. By taking these actions, organizations can protect themselves against the critical vulnerability in React Server Components and prevent unauthorized access to their systems.
Stay ahead of the threat curve by staying informed about the latest cybersecurity threats and best practices for mitigation.
started: 2025-12-12 20:53:07.153486
ending: 2025-12-12 21:07:49.183199
CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components with a CVSS score of 10.0. The vulnerability allows attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process. Multiple threat actors have exploited this vulnerability, including suspected espionage groups and opportunistic cybercrime actors. Threat actors have deployed various malware, including MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, COMPOOD backdoor, and XMRIG cryptocurrency miners. Organizations using unpatched versions of React and Next.js are highly vulnerable to this issue. GTIG considers CVE-2025-55182 a critical-risk vulnerability due to its widespread exploitation and the use of popular frameworks like Next.js.
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. This vulnerability has been widely exploited across various threat clusters by both opportunistic cybercrime actors and suspected espionage groups. Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation of this vulnerability shortly after its disclosure.
GTIG identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners. These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js.
CVE-2025-55182 is an unauthenticated RCE vulnerability in React Server Components with a CVSS v3.x score of 10.0 and a CVSS v4 score of 9.3. The flaw allows unauthenticated attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process.
GTIG considers CVE-2025-55182 to be a critical-risk vulnerability due to the use of React Server Components in popular frameworks like Next.js, resulting in a significant number of exposed systems vulnerable to this issue. Exploitation potential is further increased by two factors: 1) there are a variety of valid payload formats and techniques, and 2) the mere presence of vulnerable packages on systems is often enough to permit exploitation.
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
GTIG observed multiple incidents in which threat actor UNC6588 exploited CVE-2025-55182, then ran a script that used wget to download a COMPOOD backdoor payload. The script then executed the COMPOOD sample, which masqueraded as Vim.
COMPOOD has historically been linked to suspected China-nexus espionage activity. In 2022, GTIG observed COMPOOD in incidents involving a suspected China-nexus espionage actor, and we also observed samples uploaded to VirusTotal from Taiwan, Vietnam, and China.
Another China-nexus actor, UNC6603, deployed an updated version of the HISONIC backdoor. HISONIC is a Go-based implant that utilizes legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration. This technique allows the actor to blend malicious traffic with legitimate network activity.
Finally, we also observed a China-nexus actor, UNC6595, exploiting the vulnerability to deploy ANGRYREBEL.LINUX. The threat actor uses an installation script (b.sh) that attempts to evade detection by masquerading the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory, rather than its standard location.
GTIG also observed multiple incidents in which threat actors exploited CVE-2025-55182 and deployed XMRig for illicit cryptocurrency mining. In one observed chain, the actor downloaded a shell script named "sex.sh," which downloads and executes the XMRIG cryptocurrency miner from GitHub. The script also attempts to establish persistence for the miner via a new systemd service called "system-update-service."
GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools.
This vulnerability is part of a larger set of vulnerabilities recently disclosed in React Server Components. Three additional React vulnerabilities have been disclosed: CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. In this case, two of these follow-on vulnerabilities have relatively limited impacts (restricted information disclosure and causing a denial-of-service (DoS) condition). The third vulnerability (CVE-2025-67779) also causes a DoS condition, as it arose due to an incomplete patch for CVE-2025-55184.
Organizations utilizing React or Next.js should take the following actions immediately:
Critical Vulnerability in React Server Components Exploited by Multiple Threat Actors
A critical vulnerability in React Server Components has been exploited by multiple threat actors. This article provides detailed information on the observed exploitation chains and post-compromise behaviors, as well as recommendations for mitigating this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-React-Server-Component-Vulnerability-Exploited-by-Multiple-Threat-Actors-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-55183
https://www.cvedetails.com/cve/CVE-2025-55183/
https://nvd.nist.gov/vuln/detail/CVE-2025-55184
https://www.cvedetails.com/cve/CVE-2025-55184/
https://nvd.nist.gov/vuln/detail/CVE-2025-67779
https://www.cvedetails.com/cve/CVE-2025-67779/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://levelblue.com/en-us/resources/blogs/trustwave-blog/dissecting-and-understanding-apt-threat-group-activity/
https://breach-hq.com/threat-actors
Published: Fri Dec 12 21:10:16 2025 by llama3.2 3B Q4_K_M
