React2Shell Exploit Breaches 30 Organizations, Exposes 77K Vulnerable IPs
Recent research reveals the alarming exposure of over 77,000 IP addresses due to the React2Shell exploit, a significant remote code execution vulnerability identified as CVE-2025-55182. This flaw has already compromised more than 30 organizations across various sectors.
Understanding React2Shell Vulnerability
React2Shell is an unauthenticated vulnerability affecting all frameworks utilizing React Server Components, specifically targeting Next.js. Attackers can exploit this flaw through a single HTTP request, enabling unauthorized execution of arbitrary commands.
On December 3, the React team disclosed details of this vulnerability. They highlighted that unsafe deserialization of client-controlled data within React Server Components allows attackers to execute remote commands without authentication.
Current Impact and Statistics
According to the Shadowserver Internet Watchdog group, a total of 77,664 vulnerable IP addresses have been reported. Approximately 23,700 of these are located in the United States. The identification of these compromised addresses used detection techniques from Searchlight Cyber and Assetnote.
- Vulnerable IP Addresses: 77,664
- IP Addresses in the United States: 23,700
GreyNoise’s recent data indicated that 181 distinct IP addresses attempted to exploit the React2Shell vulnerability within a 24-hour period, predominantly from locations such as the Netherlands, China, and Hong Kong.
Exploitation Techniques
Since the vulnerability’s disclosure, various threat actors have actively sought to exploit it. Attacker activity frequently begins with PowerShell commands aimed at confirming device vulnerability. These initial tests yield predictable results with minimal traces.
Once vulnerability is established, attackers may execute base64-encoded PowerShell commands to download additional scripts directly into the memory of compromised systems. Observations have included commands linked to known hacking groups, such as Earth Lamia and Jackpot Panda.
Malware Deployment
Among the malicious activities observed, some include:
- Snowlight: A malware dropper enabling remote attackers to deploy further payloads.
- Vshell: A backdoor frequently utilized by Chinese cyber threat actors for remote access and lateral movement within a network.
Response and Mitigation Efforts
Given the gravity of the React2Shell flaw, companies are rapidly applying patches to safeguard their systems. For example, Cloudflare implemented emergency detections and mitigations but faced technical issues that briefly disrupted services.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog, mandating that federal agencies apply necessary updates by December 26, 2025.
Organizations are urged to upgrade to the latest version of React, rebuild their applications, and actively monitor logs for any signs of unauthorized command execution.
Conclusion
The React2Shell exploit underscores a critical need for swift action among developers and IT teams. By addressing the vulnerability promptly, organizations can better protect their infrastructure and minimize risk from potential attacks.
