It didn’t take long: CVE-2025-55182 is now under active exploitation

Dec. 21, 2025, 7:01 p.m.

Description

A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.

External References

https://otx.alienvault.com/pulse/693ae06402fe5f1d81a2b7c3
https://securelist.com/cve-2025-55182-exploitation/118331
Tags
xmrig
vulnerability
botnet
mirai
exploitation
gafgyt
honeypot
rondodox
CVE-2025-55182
2025-12-11
react server components
crypto miner
react4shell

Date

  • Created: Dec. 11, 2025, 3:16 p.m.
  • Published: Dec. 11, 2025, 3:16 p.m.
  • Modified: Dec. 21, 2025, 7:01 p.m.

Indicators

  • 7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171
  • 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb
  • cc17c5a982a899986c292a41cdc0dfe75b7126b4833521a9b010722a382d11e8
  • 59.7.217.245
  • 51.81.104.115
  • 68.142.129.4
  • 176.117.107.154
  • 23.132.164.54
  • 31.56.27.97
  • 89.144.31.18
  • 31.56.27.76
  • 51.91.77.94
  • http://59.7.217.245:7070/app2
  • http://89.144.31.18/nuts/x86
  • http://68.142.129.4:8277/download/c.sh
  • http://41.231.37.153/rondo.sparc
  • http://41.231.37.153/rondo.sh4
  • http://41.231.37.153/rondo.x86_64
  • http://41.231.37.153/rondo.armv4l
  • http://51.81.104.115/nuts/bolts
  • http://41.231.37.153/rondo.i486
  • http://41.231.37.153/rondo.arc700
  • http://51.91.77.94:13339/termite/51.91.77.94:13337
  • http://89.144.31.18/nuts/bolts
  • http://41.231.37.153/rondo.armv5l
  • http://41.231.37.153/rondo.mips
  • http://41.231.37.153/rondo.m68k
  • https://api.hellknight.xyz/js
  • http://41.231.37.153/rondo.armv7l
  • http://41.231.37.153/rondo.armeb
  • http://41.231.37.153/rondo.armv6l
  • http://41.231.37.153/rondo.aqu.sh
  • http://meomeoli.mooo.com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
  • http://41.231.37.153/rondo.i586
  • http://193.34.213.150/nuts/x86
  • http://31.56.27.76/n2/x86
  • http://41.231.37.153/rondo.armebhf
  • http://31.56.27.97/scripts/4thepool_miner.sh
  • http://193.34.213.150/nuts/bolts
  • http://51.81.104.115/nuts/x86
  • http://41.231.37.153/rondo.mipsel
  • http://gfxnick.emerald.usbx.me/bot
  • http://59.7.217.245:7070/c.sh
  • http://41.231.37.153/rondo.i686
  • http://41.231.37.153/rondo.powerpc
  • http://41.231.37.153/rondo.powerpc-440fp
Download all indicators here!

Attack Patterns

  • Mirai
  • RondoDox
  • XMRig
  • Gafgyt

Additional Informations

  • gfxnick.emerald.usbx.me
  • api.hellknight.xyz

Linked vulnerabilities

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025