Exploitation of React2Shell Surges

The vulnerability, dubbed React2Shell and officially tracked as CVE-2025-55182, can be exploited using specially crafted HTTP requests for unauthenticated remote code execution. The flaw impacts systems that use React version 19, specifically instances that leverage React Server Components (RSC).

“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well as installation of downloaders to retrieve payloads from attacker command and control infrastructure. Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security. In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174).”

Security firm Ellio has also seen React2Shell attacks, and only 2% of them were limited to reconnaissance. Roughly 65% of attacks attempted to deliver a Mirai malware, which is typically used to create botnets, as well as a cryptocurrency miner.

To read the complete article see: Exploitation of React2Shell Surges