Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Dec. 21, 2025, 7:03 p.m.
Description
A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, COMPOOD backdoor, and XMRIG cryptocurrency miners. The vulnerability affects multiple versions of React packages and has a CVSS score of 10.0. Exploitation chains include the use of bash scripts, cURL, and wget to download and execute payloads. Affected organizations are advised to patch immediately, deploy WAF rules, audit dependencies, monitor network traffic, and hunt for indicators of compromise.
Tags
Date
- Created: Dec. 13, 2025, 10:37 a.m.
- Published: Dec. 13, 2025, 10:37 a.m.
- Modified: Dec. 21, 2025, 7:03 p.m.
Indicators
- 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274
- 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a
- 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3
- df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540
- 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce
- 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
- 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696
Additional Informations
- Finance
- Government and administrations
- Technologies
- reactcdn.windowserrorapis.com
- G_Hunting_Downloader_SNOWLIGHT_1
- G_Backdoor_COMPOOD_1
- G_APT_Tunneler_MINOCAT_1
- Taiwan
- China