TRENDING:

Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Nation-State and Cybercrime Exploits Tied to React2Shell

2 More Vulnerabilities Need Patching in React Server Components, Warns Vercel Mathew J. Schwartz (euroinfosec) • December 15, 2025    
Nation-State and Cybercrime Exploits Tied to React2Shell
Image: Shutterstock/React/ISMG

Mass exploitation of the React2Shell vulnerability is underway by nation-state hackers tied to China, North Korea and Iran, as well as financially motivated cybercriminals, experts warn.

See Also: Top 10 Technical Predictions for 2025

Tracked as CVE-2025-55182, the vulnerability affects all versions of the Meta-developed open-source React framework since version 19, released in November 2024.

Following the public release of a patch on Dec. 3, threat intelligence firm Huntress said attacks targeting React2Shell appeared to surge on Dec. 8, including against the construction and entertainment sectors.

Threat intel firm GreyNoise observed 669 different, unique IP addresses attempting to exploit React2Shell on Sunday alone. The firm has tracked about 2,300 different IP addresses mounting attacks, of which 70% only appeared on or after Dec. 4, the same day working, proof-of-concept exploits began appearing online.

Hacker interest in the flaw is high because attackers can easily exploit the vulnerability to remotely execute on a vulnerable server without having to first authenticate. "The flaw allows unauthenticated attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process," reported threat intelligence researchers at Google Cloud.

Observed attacks range from "opportunistic cryptominers and 'smash-and-grab' credential harvesting to sophisticated, persistent backdoors leveraging Sliver implants," cybersecurity firm Wiz said. Sliver is an open-source, cross-platform malware designed for command-and-control purposes.

The potential attack surface is high. React is used by an estimated two-fifth of the world's top 10,000 websites, including Airbnb, Meta, Netflix, Shopify and Uber. Attackers have been directly targeting the cloud environments and workloads that run frameworks in support of mission-critical enterprise applications and e-commerce platforms.

Other frameworks that use the affected webpack, parcel and turbopack packages include the file-system-based App Router in Next.js framework versions 15.x and 16.x. Open-source React was initially developed by Meta, but its core development is now handled by a firm called Vercel, which also sells React deployment services.

VulnCheck said Friday while "AI-generated slop pretending to be real exploit code" is proliferating online, at least three PoCs are being developed in different languages: Python, JavaScript and bash. "That mix reflects not only the range of developers experimenting with React2Shell, but also the simplicity of the underlying exploit, which makes it easy to reimplement in whatever language someone prefers," it said.

On Dec. 5, Vercel launched a public bug bounty program, managed by HackerOne, for any researcher that's able to bypass a web application firewall set up by Vercel. The program is for successful exploitations of React2Shell to bypass Vercel's WAF only.

Attack Activity

Many attacks appear to trace to nation-state groups. Researchers at Palo Alto Networks' Unit 42 threat intelligence team said that it attributed credential theft attacks to a threat cluster it tracks as CL-STA-1015, which appears to be an initial access broker with close ties to Beijing's Ministry of State Security.

Cloud security firm Sysdig on Dec. 8 warned that hackers have been wielding tools closely linked to North Korea threat actors to exploit the React2Shell vulnerability and deploy a new, remote access Trojan tracked as EtherRAT (see: Breach Roundup: DPRK-Linked EtherRAT Targets React2Shell).

Amazon Web Services previously reported that China-aligned groups that it tracks as Earth Lamia and Jackpot Panda have been exploiting the vulnerability.

Google Threat Intelligence Group researchers also reported seeing attacks they attributed to "multiple China-nexus threat clusters" - including Earth Lamia, which it tracks as UNC5454 - as well as to Iran-aligned attackers.

Some of the Chinese activity involves infecting systems with a SnowLight downloader that's been pushing VShell - an open-source, multi-platform backdoor - onto servers. In other attacks, the researchers said a China-aligned activity tracked as UNC6588 pushed a Pood backdoor payload, which "has historically been linked to suspected China-nexus espionage activity."

Researchers also saw threat activity tracked as UNC6603 deploying a new version of the Go-based Hisonic backdoor, which is designed to use legitimate cloud services such as Cloudflare Pages and GitLab to further its attacks. "Telemetry indicates this actor is targeting cloud infrastructure, specifically AWS and Alibaba Cloud instances, within the Asia-Pacific region," the researchers said.

Strong Cybercrime Interest

Researchers said they've also seen extensive chatter about how to exploit the vulnerability on underground forums, including "shared links to scanning tools, proof-of-concept code and their experiences using these tools," Google Threat Intelligence Group said.

Financially motivated attackers appeared to begin targeting the flaw by Dec. 5 for cryptomining campaigns run using cloud workloads. Multiple firms tracked initial incidents involved the use of XMRig cryptocurrency mining malware.

GreyNoise said that more recently, it has seen exploit targets being used to drop MeshCentral, an open-source platform designed for remote machine management.

Attackers often use legitimate RMM tools as C2 agents to give them "long-term control" over an infected system, and such attacks have been surging over the past year, GreyNoise said. Tracking such attacks can be difficult, with many tracing to "disposable" or fast-flux infrastructure, meaning that "by the time you've blocklisted the domain, they've spun up three more," GreyNoise said.

Huntress said some attacks it tracked have wielded new type of backdoor malware - codenamed PeerBlight - that uses BitTorrent's distributed hash table network as a fallback command-and-control mechanism, "making it resilient to traditional domain takedowns."

Other intrusions appear to be in support of distributed-denial-of-service attack providers, owing to their infecting servers with a variant of the Kaiji botnet "which combines DDoS capabilities with persistence mechanisms and hardware watchdog abuse to force system reboots if the payload is killed," Huntress said.

More Vulnerabilities

On Thursday, Vercel warned that two more vulnerabilities in React and frameworks that use it, including Next.js, have been discovered by the security community.

The flaws in React Server Components include a critical severity denial-of-service vulnerability CVE-2025-55184 and a medium-severity source code exposure CVE-2025-55183.

The initial fix for CVE-2025-55184 failed to fully mitigate the problem, resulting in another vulnerability tracked as CVE-2025-67779.

The vulnerabilities affect React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x. "If you're running an affected version, upgrade immediately, regardless of other protections in place," Vercel said.

Previous
France and Germany Grappling With Nation-State Hacks
Next
AI Agents Expand the Developer Security Attack Surface

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.



Around the Network

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.