Critical React2Shell Vulnerability Exploited to Deploy Malicious Payloads
In December 2025, a critical security flaw identified as CVE-2025-55182, commonly referred to as React2Shell, was disclosed, exposing React Server Components to unauthenticated remote code execution (RCE). This vulnerability has since been actively exploited by threat actors to deploy malicious payloads, including cryptocurrency miners and tools for persistent remote access.
Understanding the React2Shell Vulnerability
CVE-2025-55182 arises from an insecure deserialization process within the React Server Components’ Flight protocol. This flaw allows attackers to send specially crafted HTTP requests that the server processes without proper validation, leading to arbitrary code execution. The vulnerability affects React versions 19.0.0, 19.1.0 through 19.1.1, and 19.2.0. Patched versions include 19.0.1, 19.1.2, and 19.2.1.
Exploitation Campaigns and Threat Actors
Recent telemetry data indicates a significant shift from broad scanning to concentrated, high-volume attack campaigns targeting this vulnerability. Between January 26 and February 2, 2026, two primary threat actors were responsible for 56% of observed malicious sessions:
1. Cryptomining Campaign (IP: 87.121.84[.]24): This actor accounted for 22% of the traffic, executing scripts to download and run XMRig cryptocurrency mining software from staging servers.
2. Interactive Access Campaign (IP: 193.142.147[.]209): Responsible for 34% of the traffic, this actor established reverse shells directly back to the scanner IP on port 12323, indicating an intent for interactive network access and potential lateral movement.
Further analysis revealed that the cryptomining infrastructure has a history of malicious activity, with staging servers hosting attacker-controlled domains since 2020. Adjacent IP addresses in the same subnet are distributing variants of Mirai and Gafgyt malware, suggesting a broader botnet operation targeting both enterprise servers and consumer IoT devices.
Technical Details of the Exploitation
The exploitation process involves sending a malicious HTTP POST request to the server, leveraging the deserialization flaw to execute arbitrary code. Attackers have been observed targeting development ports, particularly those exposed due to misconfigurations where servers are bound to all network interfaces (e.g., using the `–host 0.0.0.0` flag). Commonly targeted ports include 443, 80, 3000, 3001, and 3002.
Indicators of Compromise (IOCs)
Organizations should monitor for the following IOCs associated with these exploitation campaigns:
– Network Indicators:
– Attacker Source IPs:
– 193.142.147[.]209 (Reverse Shell / Interactive Access)
– 87.121.84[.]24 (XMRig Cryptominer Dropper)
– Staging Servers:
– 205.185.127[.]97 (Payload Hosting)
– 176.65.132[.]224 (Payload Hosting)
– Network Artifacts:
– Reverse Shell Port: TCP/12323
– Unusual HTTP POST requests containing `Next-Action` headers.
– File Hashes:
– [Hash pending further analysis] – XMRig Binary (ELF) retrieved from 205.185.127[.]97.
Mitigation Strategies
To protect against exploitation of CVE-2025-55182, organizations should:
1. Apply Patches Promptly: Update React Server Components to the latest patched versions (19.0.1, 19.1.2, or 19.2.1) to remediate the vulnerability.
2. Restrict Network Access: Limit exposure of development ports by configuring servers to bind only to necessary network interfaces and implementing firewall rules to restrict access.
3. Monitor for Suspicious Activity: Implement monitoring for unusual network traffic patterns, especially outbound connections to known malicious IPs and unexpected HTTP POST requests.
4. Review Server Configurations: Ensure that servers are not inadvertently exposed to the public internet due to misconfigurations, such as binding to all network interfaces.
5. Implement Runtime Detection: Utilize runtime detection tools to identify and respond to unauthorized code execution attempts in real-time.
Conclusion
The active exploitation of the React2Shell vulnerability underscores the critical importance of timely patching and vigilant monitoring. Organizations utilizing React Server Components must take immediate action to secure their systems against these sophisticated attack campaigns.
