510/68 Monday, December 8, 2025
Cybersecurity researchers have confirmed that the critical React2Shell (CVE-2025-55182) vulnerability is being actively exploited, exposing systems using React Server Components and related frameworks such as Next.js to unauthenticated remote code execution (RCE) via a single crafted HTTP request. At least 30 organizations worldwide have been compromised, and more than 77,000 publicly exposed IP addresses remain unpatched. Developers are being urged to update to the latest version of React, followed by a full rebuild and redeploy of affected applications.
Following public disclosure of the vulnerability on December 3, exploitation activity surged rapidly, with more than 180 IPs observed attempting attacks within 24 hours. Attack origins were mainly traced to the Netherlands, China, the United States, and Hong Kong. Threat actors have been seen executing PowerShell commands to probe for weaknesses and download additional scripts directly into memory. Some cases involved disabling AMSI to bypass security controls, as well as deploying Cobalt Strike to establish persistent access for further operations. Intelligence teams from Palo Alto Networks and AWS report links to state-sponsored threat actors associated with China, and observed the use of Snowlight and Vshell malware to enable remote access and facilitate lateral movement inside compromised networks.
Cybersecurity agencies have indicated that attacks are now widespread, while Cloudflare deployed emergency Web Application Firewall rules, which initially caused outages on some websites before the rules were refined. Additionally, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and mandated that U.S. federal agencies remediate the issue by December 26, 2025. Organizations using React Server Components are urged to immediately apply patches, audit PowerShell and shell execution logs, and increase monitoring for abnormal server behavior to mitigate the risk of continued attacks.
