Microsoft researchers warned that “several hundred machines” across a wide range of organizations have been compromised via the exploitation of a critical vulnerability in React Server Components, according to a blog post released Monday.
The vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
React is a JavaScript library used to build user interfaces. React Server Components is an ecosystem of frameworks, packages and bundlers that allow React 19 applications to run parts of their logic on the server instead of the browser, according to the blog.
The flaw, dubbed React2Shell, has a severity score of 10 and is considered easy to exploit as default configurations are considered vulnerable.
Microsoft noted the framework is widely used in enterprise environments, and tens of thousands of devices run across several thousand organizations that use React, or applications that are based on React.
Researchers at Google Threat Intelligence Group warned in a blog post on Friday that multiple espionage actors and opportunistic criminal groups have targeted React2Shell.
A China-nexus espionage group tracked as UNC6600has been exploiting the flaw to deliver the Minocat tunneler that helps attackers maintain covert communications with a compromised system, according to GTIG.
In addition, two other threat actors tied to China — UNC6588 and UNC6603 — have been spotted dropping backdoors onto victims in attacks targeting the vulnerability.
GTIG researchers have also observed suspected Iran-linked actors exploiting the flaw, but they did not provide additional details on that activity.
Researchers at Palo Alto Networks, meanwhile, have observed deployment of a new backdoor called KSwapDoor, which is a professionally engineered remote access tool. The tool is used to build an internal mesh network that allows compromised servers to communicate with each other, according to researchers.
Attackers also have been seen running arbitrary commands, including reverse shells to known Cobalt Strike servers, in React2Shell attacks, according to Microsoft. They have used remote monitoring and management tools, including MeshAgent, to gain persistence.
Cloud-credential theft
Microsoft said cloud service credentials have been targeted in the wave of attacks, including those of Azure Instance Metadata Service endpoints for Azure, Amazon Web Services, Google Cloud Platform and Tencent Cloud.
The company said exploitation activity began as early as Dec. 5. The vulnerability was reported to React in late November by security researcher Lachlan Davidson through the Meta Bug Bounty program.
React issued a patch earlier this month for the original flaw, however late last week, additional flaws were disclosed, including CVE-2025-55814 and CVE-2025-67779.