React2Shell flaw (CVE-2025-55182) exploited for remote code execution

Dec. 21, 2025, 7:01 p.m.

Description

A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploitation activities include deploying Linux loaders, establishing persistence, installing obfuscated JavaScript, and using cloud infrastructure for command and control. Both Chinese and North Korean state-sponsored groups are suspected to be involved in the attacks. The vulnerability's exploitation is expected to expand to opportunistic cybercriminals. Organizations are advised to prioritize patching the affected React infrastructure.

External References

https://otx.alienvault.com/pulse/693be9ca213493972d3e5f74
https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution
Tags
persistence
remote code execution
obfuscated javascript
vshell
snowlight
deserialization
CVE-2025-55182
react2shell
2025-12-12
etherrat
linux loaders
state-sponsored attacks

Date

  • Created: Dec. 12, 2025, 10:09 a.m.
  • Published: Dec. 12, 2025, 10:09 a.m.
  • Modified: Dec. 21, 2025, 7:01 p.m.

Indicators

  • 5a6fdcb5cf815ce065ee585a210c19d1c9efb45c293476554bf1516cc12a1bab
  • fb3a6bdf98d5010350c04b2712c2c8357e079dec2d2a848d0dc2def2bafcc984
  • 194.38.11.3
Download all indicators here!

Attack Patterns

  • SNOWLIGHT
  • EtherRAT
  • VShell

Linked vulnerabilities

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025