Security teams on Tuesday said they are responding to a rising number of potential compromises linked to a critical vulnerability in React Server Components.
The scope of the crisis is wider than expected, as Shadowserver reported more than 165,000 IPs and 644,000 domains with potential vulnerable code after implementing improvements in scan targeting.
Post-exploitation threat activity has been observed at more than 50 organizations thus far, Palo Alto Networks told Cybersecurity Dive.
The impacted organizations work in a range of sectors, including media, financial services, business services, technology, federal, state and local government and telecommunications.
The vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads.
The Cybersecurity and Infrastructure Security Agency updated an advisory linked to the vulnerability and asked security teams to check for signs of compromise activity on any internet-accessible React instances after applying mitigations.
A patch was issued earlier to address the flaw.
As previously reported, the vulnerability has been targeted by state-linked actors from China, tracked as Earth Lamia and Jackpot Panda, according to researchers from AWS.
Palo Alto Networks also reported an expansion of threat activity on Tuesday, as fake IT recruiters potentially linked to North Korea entered the fray. Researchers said the campaign, tracked as Contagious Interview, involves fake IT recruiters installing malware onto the computers of job-seekers.
An adversary linked with North Korea has been using a technique called EtherHiding to deliver malware and steal cryptocurrency by leveraging public blockchains, according to Palo Alto Networks.
Researchers also detected use of a Linux backdoor known as BPFDoor that has been associated with a China-linked actor known as Red Menshen.
Researchers at GreyNoise on Monday reported 362 unique IP addresses targeting the vulnerability. Hackers demonstrated a variety of attack methods, including remote script execution, reverse shell/downloader scripts, SSH persistence and directory reconnaissance.