Home > Security > Security News

React2Shell Now Used for Persistent Server Compromise

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor
Server Room - Laptop - Dashboard
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google

Key Takeaways

React2Shell vulnerability exploitation is turning into multiple campaigns. What started as a scanning activity following public disclosure in early December is growing into a vector for persistence and state-aligned threat actors.

Kaspersky recorded several exploitation attempts within a single day using Mirai and Gafgyt malware variants. Patching prevents new exploitation but does not remove existing persistence.

React2Shell Vulnerability Exploitation

CVE-2025-55182  is a remote code execution vulnerability in server-side React frameworks. It impacts the React Server Components Flight protocol used by frameworks such as Next.js. The flaw allows attackers to execute privileged JavaScript on application servers.

Exploitation requires only a single unauthenticated HTTP request. The vulnerability stems from unsafe deserialization in the React Server Components protocol. After attackers send requests that inject malicious logic into server-side execution paths, the server processes the input as trusted code. 

This allows attackers to run arbitrary JavaScript with application-level privileges. All this without the need for user interaction, or elevated privileges. Once the malicious code is injected, internet-facing applications get exposed to exploitation.  

How the Threat Evolved 

Sysdig researchers observed React2Shell being used as an initial access vector and to deploy EtherRAT. EtherRAT is designed for persistence rather than immediate monetization. According to Sysdig, once EtherRAT resolves the C2 URL from the blockchain, it enters a polling loop that executes every 500 milliseconds.

"EtherRAT includes a capability not observed in other React2Shell payloads. On first successful C2 contact, it sends its own source code to a /api/reobf/ endpoint," the Sysdig research added.

Qualys analysis says that EtherRAT complicates defense by deploying customized payloads in each compromised system. This reduces detection by signature-based security tools. Qualys and Sysdig researchers also observed the following:

A researcher also identified an open directory hosting React2Shell exploit tooling. The directory included curated domain and URL target lists. Threat actors are assessed to be actively scanning and infecting selected targets.

How to Reduce Risk

Organizations should patch affected React-based frameworks as fixes addressing the deserialization flaw have been released. Vulnerable Next.js and related framework versions should also be updated.

Repeated Ethereum RPC queries from servers may indicate compromise. Unexpected Node.js process execution should be investigated and internet-facing applications should be reviewed for exposure. Linux persistence mechanisms must be audited.

Risk Posed to Government Agencies

Government agencies running React-based public or internal portals face risk. Critical-infrastructure organizations are exposed through regulatory, administrative and monitoring web applications built on React-based frameworks. 

Enterprises operating cloud-hosted React and Next.js applications also remain vulnerable to exploitation with Cloudflare reporting academic institutions and research networks being selectively targeted.

The vulnerability affects web application infrastructure. Any operational technology impact would be indirect, resulting from compromised IT-facing systems rather than direct access to industrial control systems.

Add a Comment
Related
Woman - Papers - Charts - Gavel
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Hacker - Laptop - Defense
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
System Update - Phone - Install
DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain
Driver - BYOVD - Ransom Note - Warning
DeadLock Ransomware Uses New BYOVD Loader Exploiting Driver Vulnerability to Disable EDR
Laptop - Gavel - World Map
Global Cybercrime Roundup: Telegram Increases Blocks, Coupang Investigation Reveals More, Spain and the US Arrest Hackers
us court
DOJ Announces Actions Against Alleged Key Member of Russian Cybercriminal Groups NoName057(16) and CARR (Z-Pentest)
Most Popular
Woman - Papers - Charts - Gavel
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Hacker - Laptop - Defense
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
System Update - Phone - Install
DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain
Taiwan Blocks RedNote App, Sparking VPN Surge
Taiwan Blocks RedNote App, Sparking VPN Surge
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
Mullvad Removes OpenVPN Support in Latest Desktop App Update
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain
Taiwan Blocks RedNote App, Sparking VPN Surge
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
Mullvad Removes OpenVPN Support in Latest Desktop App Update

Most Popular
Woman - Papers - Charts - Gavel
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Hacker - Laptop - Defense
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
System Update - Phone - Install
DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain
Taiwan Blocks RedNote App, Sparking VPN Surge
Taiwan Blocks RedNote App, Sparking VPN Surge
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
Mullvad Removes OpenVPN Support in Latest Desktop App Update
Former Cloud Platform Manager Charged for Concealing Noncompliance to Secure Army Sponsorship, Raising Federal Security Risks
Mikord Data Breach: Claims of Russia’s Military Draft Systems Hack Shared via 'Idite Lesom'
DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain
Taiwan Blocks RedNote App, Sparking VPN Surge
UK Age Verification Witnesses Boost in VPN Usage and Drop in Porn Traffic
Mullvad Removes OpenVPN Support in Latest Desktop App Update

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: