React2Shell Vulnerability Exploited to Deploy Linux Backdoors
The React2Shell vulnerability, identified as CVE-2025-55182 with a CVSS score of 10.0, is currently being exploited by cyber attackers to deploy sophisticated Linux backdoors such as KSwapDoor and ZnDoor. This critical flaw in React Server Components (RSC) allows unauthenticated remote code execution, posing a significant threat to systems worldwide.
KSwapDoor: A Stealthy Remote Access Tool
Palo Alto Networks Unit 42 has reported that KSwapDoor is a professionally engineered remote access tool designed with stealth in mind. It establishes an internal mesh network among compromised servers, enabling them to communicate covertly and evade security measures. The malware employs advanced encryption techniques to conceal its communications and features a ‘sleeper’ mode, allowing it to remain dormant and undetected until activated by a specific, invisible signal.
KSwapDoor offers a range of capabilities, including interactive shell access, command execution, file operations, and lateral movement scanning. To avoid detection, it masquerades as a legitimate Linux kernel swap daemon. This level of sophistication underscores the advanced nature of the threat posed by React2Shell exploitation.
ZnDoor: Targeting Japanese Organizations
In a related development, NTT Security has observed attacks targeting organizations in Japan, where the React2Shell vulnerability is exploited to deploy ZnDoor malware. This remote access trojan has been active since December 2023 and is delivered through a bash command that fetches the payload from a remote server using ‘wget’ and executes it.
ZnDoor connects to attacker-controlled infrastructure to receive and execute commands on the compromised host. Its functionalities include:
– Executing shell commands
– Launching interactive shells
– Directory exploration
– File operations (read, delete, upload, download)
– System information gathering
– Modifying file timestamps
– Starting and stopping SOCKS5 proxies
– Managing port forwarding
These capabilities provide attackers with extensive control over infected systems, facilitating further malicious activities.
Widespread Exploitation by Multiple Threat Actors
The exploitation of the React2Shell vulnerability is not limited to a single threat actor. Google has identified at least five China-nexus groups leveraging this flaw to distribute various payloads:
– UNC6600: Deploys a tunneling utility named MINOCAT.
– UNC6586: Delivers a downloader known as SNOWLIGHT.
– UNC6588: Distributes a backdoor called COMPOOD.
– UNC6603: Deploys an updated version of a Go backdoor named HISONIC, utilizing Cloudflare Pages and GitLab to retrieve encrypted configurations, thereby blending with legitimate network traffic.
– UNC6595: Delivers a Linux variant of ANGRYREBEL (also known as Noodle RAT).
Microsoft has also reported that attackers exploit this vulnerability to execute arbitrary commands for post-exploitation activities. These include setting up reverse shells to known Cobalt Strike servers, deploying remote monitoring and management tools like MeshAgent, modifying the ‘authorized_keys’ file, and enabling root login.
The payloads delivered in these attacks encompass VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. Attackers are utilizing Cloudflare Tunnel endpoints (e.g., ‘.trycloudflare.com’) to evade security defenses and conducting reconnaissance to facilitate lateral movement and credential theft within compromised environments.
Mitigation and Recommendations
Given the severity and active exploitation of the React2Shell vulnerability, it is imperative for organizations to take immediate action:
1. Update React Server Components: Ensure that all instances of React Server Components are updated to the latest versions (19.0.1, 19.1.2, and 19.2.1) where the vulnerability has been addressed.
2. Monitor Network Traffic: Implement monitoring solutions to detect unusual network activity, particularly communications with known malicious endpoints or the use of Cloudflare Tunnel services.
3. Conduct Security Audits: Regularly audit systems for signs of compromise, such as unauthorized changes to system files, unexpected network connections, or the presence of unknown processes.
4. Restrict Unnecessary Services: Disable or restrict services and ports that are not essential for business operations to reduce the attack surface.
5. Implement Strong Access Controls: Enforce strict access controls and authentication mechanisms to prevent unauthorized access to critical systems.
6. Educate Employees: Provide training to employees on recognizing phishing attempts and other common attack vectors used to exploit vulnerabilities.
By proactively addressing the React2Shell vulnerability and implementing robust security measures, organizations can mitigate the risk of exploitation and protect their systems from sophisticated cyber threats.
