"Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling. That's the assessment from Alon Schindel, VP of AI and Threat Research at Wiz, who says CVE-2025-55182 - the React server-side vulnerability dubbed "React2Shell" - is now being actively exploited at scale,"
"According to Wiz's latest telemetry, roughly 50 percent of publicly exposed resources known to be vulnerable are still running unpatched code, giving attackers a comfortable head start. The critical-severity flaw, first disclosed earlier this month, affects React Server Components and dependent frameworks such as Next.js and stems from unsafe deserialization in React's server-side packages, allowing an unauthenticated attacker to send a crafted request to achieve remote code execution."
"What began as opportunistic scanning and cryptomining has now broadened into something messier. Wiz says it is seeing a clear split between "commodity" exploitation - dominated by familiar cryptomining operations using tools like Kinsing, C3Pool, and custom loaders - and more deliberate intrusion sets deploying post-exploitation frameworks and bespoke malware. Among the clusters observed are Python-based campaigns masquerading as miner droppers while quietly exfiltrating secrets, Sliver command-and-control infrastructure used for hands-on-keyboard operations, and a JavaScript file injector that systematically infects every server-side *"
Roughly half of publicly exposed React server resources remain unpatched for CVE-2025-55182, creating widespread attack surface for unauthenticated remote code execution. The flaw impacts React Server Components and dependent frameworks like Next.js due to unsafe deserialization in server-side packages, allowing crafted requests to trigger RCE. Researchers have observed at least 15 distinct intrusion clusters exploiting the bug, ranging from low-sophistication cryptomining operations to hands-on-keyboard intrusion tooling. Observed activity includes Kinsing and C3Pool miners, Python campaigns that exfiltrate secrets while posing as miner droppers, Sliver command-and-control infrastructure, and a JavaScript file injector infecting server-side deployments.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]