Multiple Threat Actors Exploiting React2Shell (CVE-2025-55182)

TL;DR

A critical unauthenticated RCE in React Server Components, CVE-2025-55182 (React2Shell), was disclosed Dec. 3, 2025 and quickly saw widespread exploitation. Google Threat Intelligence Group observed varied payloads — from tunneling and backdoors to cryptominers — deployed by multiple threat clusters across regions.

What happened

On Dec. 3, 2025, researchers publicly disclosed CVE-2025-55182, an unauthenticated remote code execution flaw in React Server Components. GTIG reported that exploitation began almost immediately and was leveraged by multiple actor clusters, including several China-nexus groups and financially motivated operators. The vulnerability affects specific react-server-dom packages used by frameworks such as Next.js and carries critical CVSS scores (v3.x 10.0, v4 9.3). Observed payloads include the MINOCAT tunneler, SNOWLIGHT downloader (part of VSHELL), COMPOOD and HISONIC backdoors, an ANGRYREBEL.LINUX implant, and XMRig cryptocurrency miners. Attackers used common Linux persistence mechanisms — cron jobs, systemd services, and shell configuration changes — and deployed scripts fetched via curl or wget. GTIG also warned about an initial wave of nonfunctional and misleading exploit repositories and encouraged reliance on vetted technical write-ups for validation.

Why it matters

• The flaw allows unauthenticated attackers to run arbitrary code as the web server process, making it high risk for internet-exposed apps.
• React Server Components are used in popular frameworks (e.g., Next.js), increasing the number of potentially vulnerable systems.
• Observed post-compromise tools include both espionage-grade backdoors and commodity cryptominers, demonstrating diverse attacker objectives.
• Rapid circulation of both real and fake exploit code heightens the risk of widespread compromise and researcher confusion.

Key facts

• CVE-2025-55182 is an unauthenticated RCE in React Server Components with CVSS v3.x 10.0 and CVSS v4 9.3.
• Vulnerable packages include versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
• GTIG observed exploitation beginning immediately after public disclosure and across multiple regions and industries.
• Observed payloads: MINOCAT tunneler, SNOWLIGHT downloader (VSHELL component), COMPOOD backdoor, HISONIC backdoor, ANGRYREBEL.LINUX, and XMRig miners.
• Attackers established persistence via cron jobs, systemd services, and modifications to user shell configs; some samples masqueraded as legitimate binaries.
• Multiple China-nexus clusters were identified (e.g., UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) and AWS reported activity from Earth Lamia and Jackpot Panda.
• Researchers noted widespread sharing of nonfunctional or AI-generated exploit repositories early after disclosure; some samples contained malware targeting researchers.
• A separate Next.js CVE (CVE-2025-66478) was later marked as a duplicate of CVE-2025-55182.

What to watch next

• Increased scanning and automated exploitation attempts against React/Next.js servers following public disclosure.
• Deployment of both commodity miners (XMRig) and more persistent backdoors — monitor for new systemd services, unexpected cron entries, and shell config changes.
• Circulation of exploit code and tools in underground forums and public repositories; validate any proof-of-concept against trusted technical write-ups.
• not confirmed in the source

Quick glossary

• Remote Code Execution (RCE): A vulnerability that allows an attacker to run arbitrary code on a target system without authorization.
• CVSS: Common Vulnerability Scoring System, a standardized method to convey the severity of software vulnerabilities.
• Backdoor: Malicious software that provides persistent remote access to a compromised system, often bypassing normal authentication.
• Cryptominer (XMRig): Software that uses a system's resources to mine cryptocurrency, frequently deployed illicitly by attackers.
• Persistence: Techniques attackers use to maintain access on a compromised host across reboots or session changes (e.g., cron, systemd).

Reader FAQ

Which servers and packages are affected?
React Server Components implementations using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack in the specified vulnerable versions.

Who has been observed exploiting this vulnerability?
GTIG reported multiple clusters, including several China-nexus groups (UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) and AWS noted Earth Lamia and Jackpot Panda activity.

Are there public fixes or patches available?
not confirmed in the source

How can defenders detect exploitation?
Look for unexpected cron jobs/systemd services, scripts fetched via curl/wget, hidden directories (e.g., .systemd-utils), masqueraded binaries, timestomping, and cleared shell history.

Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server…

Sources

• Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
• China-nexus cyber threat groups rapidly exploit React2Shell …
• Defending against the CVE-2025-55182 (React2Shell) …
• React2Shell and related RSC vulnerabilities threat brief

Related posts

• Microsoft fixes 60+ Windows vulnerabilities in November Patch Tuesday, including zero-day
• Are Android TV Streaming Boxes Being Recruited into Botnets?
• Meet Rey, the Teen Admin Behind Scattered LAPSUS$ Hunters Ransom Group