Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks

Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks

Briefly

"React2Shell exploitation activity remains strong, with over 1.4 million attempts observed over the past week, GreyNoise reports. A critical-severity vulnerability in version 19 of the open source JavaScript library React (React.js), React2Shell is tracked as CVE-2025-55182 (CVSS score of 10). The issue can be exploited without authentication to achieve remote code execution (RCE) via a single HTTP POST request and the activity surrounding it surged after a Metasploit module was published."

"The bug is related to the decoding of payloads sent to React Server Function endpoints. Even applications without React Server Function endpoints may be vulnerable if they support React Server Components (RSC). Exploitation of the flaw started roughly two days after public disclosure in early December, and both state-sponsored threat actors and cybercrime groups have been observed targeting it. According to GreyNoise, over 1,000 IP addresses have been involved in React2Shell exploitation over the past week."

"The threat intelligence firm observed 488,342 attack sessions, representing 34% of the exploitation activity, originating from 193.142.147[.]209 and leading to the deployment of a reverse shell. These attacks, GreyNoise says, were likely aimed at setting up interactive access to the vulnerable instances rather than automated data theft. The second IP address that stood out, 87.121.84[.]24, was responsible for 311,484 attack sessions, representing 22% of the malicious activity."