Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.
Evidence to back up widening concern about the defect is abundant, coming from many corners of the threat research community. Attackers of various types are flocking to the opportunity, including nation-state attackers, cybercriminals, botnets, and threat groups seeking to steal cryptocurrency and deploy cryptojacking malware.
Shadowserver scans concluded the scope of potential impact is much greater than previously thought. On Monday, the organization found more than 165,000 IPs and 644,000 domains with vulnerable code placing those instances at risk of exploitation. Nearly two-thirds of those vulnerable instances are based in the United States.
“This is a one click — game over — kind of vulnerability and corresponding exploit,” Kelly Shortridge, chief product officer at Fastly, told CyberScoop. “We see it basically hitting everyone,” she said, with attackers targeting any organization with valuable data, sensitive records or business-critical applications that can be stolen or knocked down for extortion efforts.
“Security teams are, surprisingly, not all taking this seriously. It’s pretty uneven,” and “surprising to see that kind of dismissiveness from security teams,” Shortridge said.
Half of the public resources exposed to CVE-2025-55182 remain unpatched, and in-the-wild exploitation has expanded rapidly since early Tuesday, Alon Schindel, vice president of AI and threat research at Wiz, wrote in a LinkedIn post. Wiz Research has observed more than 15 distinct intrusion clusters to date.
Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, described this as a “patch-now situation” as simultaneous exploitation is coming from across the entire threat landscape.
“Our telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack. We’re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups,” he added.
Unit 42 on Tuesday said it uncovered activity that overlaps with previous attacks attributed to the North Korea threat group it tracks as Contagious Interview, which has deployed malware on the devices of people seeking jobs in the tech industry.
Researchers at the incident response firm found evidence of compromise across many sectors, including financial services, business services, higher education, technology, government, management consulting, media and entertainment, legal services, telecom and retail.
Attempted attacks are also coming from China state-backed threat groups, according to Amazon and Unit 42. Amazon said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.
Attackers are pursuing sweeping potential impact because the vulnerability affects multiple React frameworks and bundlers that depend on React Server Components, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and possibly others.
VulnCheck said it has observed nearly 100 public proof-of-concepts for the vulnerability, adding that most of the current variants target Next.js.
GreyNoise said it has observed more than 360 unique IP addresses attempting to exploit the vulnerability, and roughly two-fifths of those malicious IPs contained active payload data revealing widespread attention from automated botnets to more capable attackers, the company said.
The malware used in these attacks is broad, highlighting the myriad objectives and techniques afoot. Unit 42 said it has observed Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell malware.
Some researchers are comparing the React defect to Log4Shell, an exploit in Apache Log4j’s software library that drew widespread concern in 2021 that continues to bear a long-tail impact in the software supply chain.
While React and Next.js aren’t as widely deployed as Log4Shell, according to Shortridge, the potential impact is worse and the React vulnerability is easier to weaponize as well.
“The delivery factor is the command-and-control channel, which means once they’re in, it’s going to be really difficult to spot them, and they’re probably going to be able to blend into your normal traffic, and they’ll be able to do whatever they want,” she said.
“You’re probably not going to know that it’s happened to you,” Shortridge said. “We are seeing some companies that didn’t think they were vulnerable are surprised to discover that, in fact, they are.”