Over 77,000 Web-exposed IP addresses are susceptible to the essential React2Shell distant code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations throughout a number of sectors.
React2Shell is an unauthenticated distant code execution vulnerability that may be exploited by way of a single HTTP request and impacts all frameworks that implement React Server Parts, together with Subsequent.js, which makes use of the identical deserialization logic.
React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled knowledge inside React Server Parts allows attackers to set off distant, unauthenticated execution of arbitrary instructions.
Builders are required to replace React to the newest model, rebuild their purposes, after which redeploy to repair the vulnerability.
On December 4, safety researcher Maple3142 revealed a working proof-of-concept demonstrating distant command execution in opposition to unpatched servers. Quickly after, scanning for the flaw accelerated as attackers and researchers started utilizing the general public exploit with automated instruments.
Over 77,000 susceptible IP addresses
Shadowserver Web watchdog group now experiences that it has detected 77,664 IP addresses susceptible to the React2Shell flaw, with roughly 23,700 in america.
Supply: ShadowServer
The researchers decided that IP addresses had been susceptible utilizing a detection method developed by Searchlight Cyber/Assetnote, the place an HTTP request was despatched to servers to take advantage of the flaw, and a selected response was checked to verify whether or not a tool was susceptible.Â
GreyNoise additionally recorded 181 distinct IP addresses trying to take advantage of the flaw over the previous 24 hours, with many of the site visitors showing automated. The researchers say the scans are primarily originating from the Netherlands, China, america, Hong Kong, and a small variety of different nations.
Supply: Greynoise
Palo Alto Networks experiences that greater than 30 organizations have already been compromised by way of the React2Shell flaw, with attackers exploiting the vulnerability to run instructions, conduct reconnaissance, and try to steal AWS configuration and credential information.
These compromises embody intrusions linked to identified state-associated Chinese language menace actors.
Widespread exploitation of React2Shell
Since its disclosure, researchers and menace intelligence corporations have noticed widespread exploitation of the CVE-2025-55182 flaw.
GreyNoise experiences that attackers ceaselessly start with PowerShell instructions that carry out a fundamental math operate to verify the system is susceptible to the distant code execution flaw.
These exams return predictable outcomes whereas leaving minimal indicators of exploitation:
powershell -c "40138*41979"
powershell -c "40320*43488"
As soon as distant code execution was confirmed, attackers had been seen executing base64-encoded PowerShell instructions that obtain further scripts instantly into reminiscence.Â
powershell -enc
One noticed command executes a second-stage PowerShell script from the exterior web site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint safety and deploy further payloads.
In response to VirusTotal, the PowerShell script noticed by GreyNoise installs a Cobalt Strike beacon on the focused system, giving menace actors a foothold on the community.
Amazon AWS menace intelligence groups additionally noticed speedy exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure related to China-linked APT hacking teams referred to as Earth Lamia and Jackpot Panda.Â
On this exploitation, the menace actors carry out reconnaissance on susceptible servers by utilizing instructions corresponding to whoami and id, trying to write down information, and studying /and so forth/passwd.
Palo Alto Networks additionally noticed related exploitation, attributing a few of it to UNC5174, a Chinese language state-sponsored menace actor believed to be tied to the Chinese language Ministry of State Safety.
“Unit 42 noticed menace exercise we assess with excessive confidence is according to CL-STA-1015 (aka UNC5174), a gaggle suspected to be an preliminary entry dealer with ties to the Chinese language Ministry of State Safety,” Justin Moore, Senior Supervisor at Palo Alto Networks Unit 42, advised BleepingComputer by way of electronic mail.
“On this exercise, we noticed the deployment of Snowlight and Vshell malware, each extremely according to Unit 42 data of CL-STA-1015 (also referred to as UNC5174).”
The deployed malware in these assaults is:
- Snowlight: A malware dropper that enables distant attackers to drop further payloads on breached gadgets.
- Vshell: A backdoor generally utilized by Chinese language hacking teams for distant entry, post-exploitation exercise, and to maneuver laterally by way of a compromised community.
The frenzy to patch
As a result of severity of the React flaw, corporations worldwide have rushed to put in the patch and apply mitigations.
Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Net Utility Firewall (WAF) as a result of its widespread exploitation and severity.
Nonetheless, the replace inadvertently induced an outage affecting quite a few web sites earlier than the foundations had been corrected.Â
CISA has additionally added CVE-2025-55182 to the Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use patches by December 26, 2025, beneath Binding Operational Directive 22-01.
Organizations utilizing React Server Parts or frameworks constructed on high of them are suggested to use updates instantly, rebuild and redeploy their purposes, and overview logs for indicators of PowerShell or shell command execution.
Damaged IAM is not simply an IT downside – the influence ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM appears like, and a easy guidelines for constructing a scalable technique.
