519/68 Friday, December 12, 2025
The global cybersecurity situation has reached a critical stage as experts report a sharp and continuous rise in active exploitation of the severe React2Shell vulnerability (CVE-2025-55182) affecting React Server Components. Most recently, Palo Alto Networks Unit 42 confirmed that more than 50 organizations across the United States, Asia, and the Middle East have already been compromised. The growing severity has prompted CISA to move up the patch deadline to this Friday, instead of the previously planned late-December timeline, after observing a rapid increase in attacks against unpatched systems.
According to Shadowserver, the scope of exposure may be far broader than initially estimated. Over 165,000 IP addresses and more than 644,000 domains are considered at risk, with over half still unpatched. The threat landscape includes a wide range of attackers-from nation-state–linked groups, including those associated with North Korea and China, to cryptocurrency mining operations and ransomware gangs. Multiple malware families have already been observed in these attacks, including Snowlight, Mirai, and XMRIG, which are being used to steal sensitive data and take control of compromised systems.
Some experts warn that React2Shell could be more damaging and harder to detect than the historic Log4Shell incident. Kelly Shortridge of Fastly described it as a “one-click compromise” vulnerability that allows attackers to blend seamlessly into legitimate organizational traffic, enabling intrusions to go unnoticed even in environments believed to be secure. Nearly 100 proof-of-concept (PoC) exploits have already been published, many targeting popular frameworks such as Next.js. As a result, security teams across all organizations should treat this issue as an immediate, top-priority emergency and apply patches without delay.
Source https://cyberscoop.com/react2shell-attacks-surge-50-victims/
