Cybersecurity companies have been seeing a wide range of malware being delivered in attacks exploiting the critical React vulnerability dubbed React2Shell.
A researcher discovered recently that React, the popular open source library for creating application user interfaces, is affected by a critical vulnerability that can be exploited for unauthenticated remote code execution via specially crafted HTTP requests.
React2Shell, officially tracked as CVE-2025-55182, impacts systems that use React version 19, specifically instances with React Server Components (RSC). In addition to React, CVE-2025-55182 impacts other frameworks, including Next.js, Waku, React Router, and RedwoodSDK.
React powers millions of websites, and it’s used by popular online services such as Airbnb and Netflix.
The Shadowserver Foundation initially said it had only seen roughly 77,000 IP addresses associated with vulnerable instances, but later reported seeing more than 165,000 IPs and 644,000 domains “with vulnerable code”.
In-the-wild exploitation of React2Shell
AWS reported that Chinese threat actors were the first to exploit the vulnerability, with attacks starting shortly after public disclosure. Exploitation soon surged and dozens of organizations were reportedly impacted.
Several major cybersecurity companies are now observing attack attempts, and they have detailed the various types of payloads delivered by hackers.
A majority of security firms have seen attempts to deliver cryptocurrency miners following the exploitation of React2Shell. Cloud credential theft was also widely observed.
Palo Alto Networks has confirmed a report from Sysdig that North Korea-linked threat actors have been exploiting CVE-2025-55182 to deliver EtherRAT, a persistent access implant.
In addition, Palo Alto has seen attackers attempting to deploy the BPFDoor Linux backdoor, which was previously attributed to a Chinese state-sponsored threat actor named Red Menshen and Earth Bluecrow.
The security firm has also observed delivery of commodity malware, Cobalt Strike, dropper scripts, interactive webshells, NoodleRAT, the Auto-color backdoor, and SnowLight and VShell trojans. The trojans were seen in an initial access broker campaign linked to China.
Huntress has also seen attempts to deliver a wide range of malware to customers’ systems.
The company has observed a Linux backdoor named PeerBlight, a reverse proxy tunnel called CowTunnel, and a post-exploitation implant dubbed ZinFoq. Huntress has also seen malware powering the Kaiji botnet being distributed through this campaign.
Wiz has been monitoring cloud attacks.
“Most attacks target internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services,” the cloud security giant said.
In the attacks observed by the company, threat actors leveraged React2Shell to steal credentials associated with cloud and developer services, deploy cryptominers in containers, and deliver backdoors and Sliver implants.
CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog and initially instructed federal agencies to address it by December 26. However, following a surge in exploitation, the agency updated the deadline to December 12.
Related: Google Patches Mysterious Chrome Zero-Day Exploited in the Wild
Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
