Hackers Exploit React2Shell Vulnerability to Hijack Web Traffic via Malicious NGINX Configurations
Cybersecurity researchers have uncovered an active web traffic hijacking campaign targeting NGINX installations and management panels like Baota (BT). This campaign exploits the critical React2Shell vulnerability (CVE-2025-55182), allowing attackers to intercept and reroute legitimate web traffic through their infrastructure.
Understanding React2Shell (CVE-2025-55182):
React2Shell is a severe remote code execution (RCE) vulnerability affecting React Server Components (RSC) and related frameworks, including Next.js. With a CVSS score of 10.0, this flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests. The vulnerability arises from unsafe deserialization processes within the Flight protocol used by RSC, allowing attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/?msockid=29945efb4ebb645e2b07480f4f5f6538&utm_source=openai))
The Hijacking Campaign:
Datadog Security Labs observed threat actors leveraging the React2Shell vulnerability to inject malicious configurations into NGINX servers. These configurations intercept legitimate web traffic and redirect it to attacker-controlled backend servers. The campaign primarily targets domains with Asian top-level domains (TLDs) such as .in, .id, .pe, .bd, and .th, as well as Chinese hosting infrastructures like the Baota Panel, and government and educational TLDs (.edu, .gov).
Mechanism of Attack:
The attackers employ a series of shell scripts to manipulate NGINX configurations:
– zx.sh: Acts as the orchestrator, executing subsequent stages using utilities like curl or wget. If these are blocked, it establishes a raw TCP connection to send HTTP requests.
– bt.sh: Targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files.
– 4zdh.sh: Enumerates common NGINX configuration locations and minimizes errors when creating new configurations.
– zdh.sh: Focuses on Linux or containerized NGINX configurations, specifically targeting TLDs such as .in and .id.
– ok.sh: Generates reports detailing all active NGINX traffic hijacking rules.
These scripts facilitate persistence and create malicious configuration files that redirect web traffic through attacker-controlled servers.
Scope of Exploitation:
GreyNoise reported that two IP addresses—193.142.147[.]209 and 87.121.84[.]24—accounted for 56% of all observed exploitation attempts two months after React2Shell was publicly disclosed. Between January 26 and February 2, 2026, a total of 1,083 unique source IP addresses were involved in React2Shell exploitation. The dominant sources deployed distinct post-exploitation payloads: one retrieved cryptomining binaries from staging servers, while the other opened reverse shells directly to the scanner IP, indicating an interest in interactive access rather than automated resource extraction.
Mitigation Measures:
To protect against this campaign, organizations should:
1. Patch Vulnerable Systems: Update React Server Components and related frameworks to the latest versions that address the React2Shell vulnerability.
2. Review NGINX Configurations: Regularly audit NGINX configuration files for unauthorized changes or malicious directives.
3. Monitor Network Traffic: Implement monitoring solutions to detect unusual traffic patterns or unauthorized redirections.
4. Restrict Access: Limit access to management panels like Baota to trusted IP addresses and implement multi-factor authentication.
5. Deploy Web Application Firewalls (WAFs): Use WAFs to detect and block malicious HTTP requests attempting to exploit known vulnerabilities.
By taking these steps, organizations can mitigate the risks associated with the React2Shell vulnerability and protect their web infrastructure from hijacking attempts.
