Threat actors have been actively exploiting a critical vulnerability in React Server Components, tracked as CVE-2025-55182 and commonly referred to as React2Shell, to compromise systems across multiple industry sectors worldwide.   React2Shell affects the Flight protocol, which is responsible for client–server communication in React Server Components. The vulnerability arises from insecure deserialization, where servers accept client-supplied data without sufficient validation.   Under specific conditions, this allows attackers to achieve remote code execution, making CVE-2025-55182 particularly dangerous in production environments. 

Exploiting CVE-2025-55182 

The campaign was first observed in December 2025, shortly after details of the vulnerability became available. According to BI.ZONE Threat Detection and Response, attackers moved quickly. “In December 2025, BI.ZONE TDR detected malicious activity targeting companies in the Russian insurance, e-commerce, and IT sectors.   The threat actors leveraged the CVE-2025-55182 (React2Shell) vulnerability,” the company reported. The primary payload observed during this phase was the XMRig cryptocurrency miner, though Kaiji, Rustobot, and the Sliver implant were also deployed.  The vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, versions 19.0 through 19.2.0. Security patches were released in 19.0.1, 19.1.2, and 19.2.1, but exploitation continued against unpatched systems. 

Malware Deployment Following React2Shell Exploitation 

In one documented case targeting Russian organizations, attackers exploited the React2Shell vulnerability inside a container environment and executed a chained command sequence to download an ELF binary named bot from 176.117.107[.]154. This file was identified as RustoBot, a Rust-based botnet primarily associated with attacks on TOTOLINK devices. RustoBot resolves multiple domain names, including ilefttotolinkalone.anondns[.]net and rustbot.anondns[.]net—all pointing to the IP address 45.137.201[.]137.  RustoBot is capable of launching UDP flood, TCP flood, and Raw IP flood DDoS attacks, with configurable parameters such as duration, target address, and packet size. The malware also embeds XMRig as a secondary payload, monetizing compromised infrastructure.  Following the initial infection, attackers executed Base64-encoded shell commands that retrieved additional scripts from tr.earn[.]top. One of these, apaches.sh, installed an UPX-packed XMRig binary and established persistence through systemd services and cron jobs, storing files in /usr/local/sbin when executed as root or /tmp otherwise.  Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh. Kaiji supports SYN, ACK, and UDP flood attacks, WebSocket abuse, command execution, dynamic encrypted configuration files, extensive persistence mechanisms, and replacement of system utilities such as ls, ps, and netstat. The malware also deployed XMRig and attempted to conceal its presence by masquerading as legitimate system libraries.  Attackers later delivered the Sliver implant using the d5.sh script, which handled privilege-aware persistence and aggressively erased forensic traces by clearing shell history and deleting temporary files.  

Additional Campaigns and Global Targeting 

In another case, attackers exploited the same React2Shell vulnerability to deploy XMRig version 6.24.0 using setup2.sh, a modified mining script. The miner configuration included a hardcoded wallet address and companion scripts, alive.sh and lived.sh, designed to terminate competing processes while preserving the miner.  A third case involved DNS-based data exfiltration. After exploiting CVE-2025-55182, attackers executed reconnaissance commands and exfiltrated results via DNS tunneling to oastify[.]com. This was followed by the installation of XMRig from GitHub and persistence via a systemd service named system-update-service.service.  Outside Russia, it has been observed that React2Shell exploitation delivers a broader malware ecosystem. Payloads included CrossC2 for Cobalt Strike, Tactical RMM, VShell, and EtherRAT. These tools enabled long-term access, command execution, encrypted C2 communication, and stealthy persistence.  EtherRAT, in particular, retrieved its command-and-control address from an Ethereum smart contract, later contacting 91.215.85[.]42:3000 to fetch JavaScript payloads. 

The cycle of vulnerability disclosure and weaponization has shattered records once again. According to a new threat intel from Amazon Web Services (AWS), state-sponsored hacking groups linked to China began actively exploiting a critical vulnerability nicknamed "React2Shell," in popular web development frameworks mere hours after its public release.

The React2Shell vulnerability, tracked as CVE-2025-55182, affects React Server Components in React 19.x and Next.js versions 15.x and 16.x when using the App Router. The flaw carries the maximum severity score of 10.0 on the CVSS scale, enabling unauthenticated remote code execution (RCE).

The Rapid Weaponization Race

The vulnerability was publicly disclosed on Wednesday, December 3. AWS threat intelligence teams, monitoring their MadPot honeypot infrastructure, detected exploitation attempts almost immediately.

The threat actors identified in the flurry of activity are linked to known China state-nexus cyber espionage groups, including:

• Earth Lamia: Known for targeting financial services, logistics, and government organizations across Latin America, the Middle East, and Southeast Asia.

• Jackpot Panda: A group typically focused on East and Southeast Asian entities, often aligned with domestic security interests.

"China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure," stated an AWS Security Blog post announcing the findings.

The speed of operation showcased how the window between public disclosure and active attack is now measured in minutes, not days.

Also read: China-linked RedNovember Campaign Shows Importance of Patching Edge Devices

Hacker's New Strategy of Speed Over Precision

The AWS analysis also revealed a crucial insight into modern state-nexus tactics that threat groups are prioritizing volume and speed over technical accuracy.

Investigators observed that many attackers were attempting to use readily available, but often flawed, public Proof-of-Concept (PoC) exploits pulled from the GitHub security community. These PoCs frequently demonstrated fundamental technical misunderstandings of the flaw.

Despite the technical inadequacy, threat actors are aggressively throwing these PoCs at thousands of targets in a "volume-based approach," hoping to catch the small percentage of vulnerable configurations. This generates significant noise in logs but successfully maximizes their chances of finding an exploitable weak link.

Furthermore, attackers were not limiting their focus, simultaneously attempting to exploit other recent vulnerabilities, demonstrating a systematic, multi-pronged campaign to compromise targets as quickly as possible.

Call for Patching

While AWS has deployed automated protections for its managed services and customers using AWS WAF, the company is issuing an urgent warning to any entity running React or Next.js applications in their own environments (such as Amazon EC2 or containers).

The primary mitigation remains immediate patching.

"These protections aren't substitutes for patching," AWS warned. Developers must consult the official React and Next.js security advisories and update vulnerable applications immediately to prevent state-sponsored groups from gaining RCE access to their environments.

CVE-2025-55182 enables an attacker to achieve unauthenticated Remote Code Execution (RCE) in vulnerable versions of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

AWS' findings states a cautious tale that a vulnerability with a CVSS 10.0 rating in today's times becomes a national security emergency the moment it hits the public domain.