Shadowserver reported more than 77,600 IPs that are vulnerable
Pro
Researchers warn that critical vulnerabilities in Meta’s React Server Components and Next.js are under threat from botnets and state-linked adversaries.
China-nexus threat groups, tracked as Earth Lamia and Jackpot Panda, attempted to exploit a vulnerability tracked as CVE-2025-55182 in React, within a few hours of the flaw being disclosed, according to a blog post by CJ Moses, chief information security officer at Amazon.
The vulnerability, dubbed React2Shell, enables an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
Palo Alto Networks has identified more than 30 organisations hit by threat activity. Researchers link the exploitation to a state linked group tracked as CL-STA-1015, also known as UNC5174, an initial access broker with ties to the Chinese Ministry of State Security.
“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure,” Justin Moore, senior manager, threat intel research Unit 42 at Palo Alto Networks told Cybersecurity Dive.
During the attacks, Snowlight and Vshell malware was also deployed, according to Moore.
Researchers at GreyNoise are reporting opportunistic, mostly automated attempts to exploit React2Shell, according to a blog post. They are beginning to see a slow migration of the flaw being “added to Mirai and other botnet exploitation kits,” according to GreyNoise.
The Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog.
Shadowserver reported more than 77,600 IPs that are vulnerable to React2Shell based on Assetnote methodology. The US is the most affected with more than 23,700 IPs.
Researchers at Palo Alto Networks said nearly 970,000 servers run modern frameworks like React and Next.js, and the risk is widespread.
“This newly discovered flaw is a critical threat because it is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures,” said Moore. “The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input.”
Security researcher Lachlan Davidson disclosed the vulnerability to React on 29 November through the Meta Bug Bounty programme. React issued a patch for the flaw on Wednesday and urged users to apply immediate upgrades.
Cybersecurity Dive