Two months following the disclosure of CVE-2025-55182, exploitation activity targeting React Server Components has evolved from broad scanning into consolidated, high-volume attack campaigns.
According to telemetry from GreyNoise collected between January 26 and February 2, 2026, threat actors are actively leveraging this critical vulnerability to deploy cryptominers and establish persistent remote access.
While the total number of unique sources attempting exploitation reached 1,083, traffic has heavily consolidated. Two specific IP addresses generated 56% of all observed malicious sessions, indicating automated, large-scale infrastructure rather than manual testing.
Threat Landscape and Dominant Actors
The observed attacks utilize the public Metasploit module for CVE-2025-55182, which allows for pre-authentication remote code execution (RCE) via a single malicious HTTP POST request. The dominant threat actors have bifurcated their operational objectives:
- The Cryptomining Campaign (87.121.84[.]24): Responsible for 22% of traffic (311,484 sessions), this actor executes a retrieval script to download an XMRig binary from staging servers. This campaign relies on external infrastructure to host payloads.
- The Interactive Access Campaign (193.142.147[.]209): Responsible for 34% of traffic (488,342 sessions), this actor bypasses staging servers entirely. Instead, the payload opens a reverse shell directly back to the scanner IP on port 12323, suggesting an intent for interactive network pivots rather than automated resource theft.
Deep analysis of the cryptomining infrastructure reveals a history of malicious activity. The primary staging server, 205.185.127[.]97, has hosted attacker-controlled domains such as mased[.]top and mercarios[.]buzz since 2020.
Furthermore, adjacent IP addresses in the same subnet (87.121.84[.]25 and 87.121.84[.]45) are currently distributing Mirai and Gafgyt variants, suggesting this subnet is a haven for botnet operators targeting both enterprise servers and consumer IoT devices.
Vulnerability Details
CVE-2025-55182 is a deserialization flaw in React Server Components that carries a CVSS score of 10.0. It allows unauthenticated attackers to execute arbitrary code by manipulating serialized data processed by the server.
| CVE ID | CVSS Score | Affected Software | Vulnerability Type |
|---|---|---|---|
| CVE-2025-55182 | 10.0 (Critical) | React Server Components | Insecure Deserialization |
Affected Versions:
- React 19.0.0
- React 19.1.0 through 19.1.1
- React 19.2.0
Patched Versions:
- React 19.0.1, 19.1.2, 19.2.1
Attackers are specifically targeting development ports, likely looking for misconfigured instances where developers have used the --host 0.0.0.0 flag, inadvertently exposing the server to the public internet. The most targeted ports include 443, 80, 3000, 3001, and 3002.
Security teams are urged to patch immediately to the latest React versions. If patching is not feasible, restrict network access to development ports and block the indicators listed below.
Indicators of Compromise (IOCs)
Network Indicators (IPv4)
| IP Address | Type | Association |
|---|---|---|
| 193.142.147[.]209 | Attacker Source | Reverse Shell / Interactive Access |
| 87.121.84[.]24 | Attacker Source | XMRig Cryptominer Dropper |
| 205.185.127[.]97 | Staging Server | Payload Hosting |
| 176.65.132[.]224 | Staging Server | Payload Hosting |
Network Artifacts
- Reverse Shell Port: TCP/12323
- Traffic Pattern: HTTP POST requests containing unusual
Next-Actionheaders.
File Hash (SHA-256)
[Hash pending further analysis]– XMRig Binary (ELF) retrieved from 205.185.127[.]97.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
