Full Report
Researchers warn that half of the exposed vulnerable instances remain unpatched as in-the-wild exploitation grows rapidly. The post Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical React2Shell Defect Leading to Widespread Exploitation
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly stated in text, but described as "critical severity" and "one click — game over."
- CWE: Not available in the provided text.
## Affected Systems
- Products: React Server Components and dependent frameworks/bundlers, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS, and possibly others.
- Versions: All vulnerable versions exposed to the defect (specific version ranges are not listed, only that the vulnerability was disclosed last week).
- Configurations: Any environment utilizing the affected React Server Components implementation. Shadowserver found over 644,000 domains at risk across the internet.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," is described as a critical defect in React Server Components. Expert analysis suggests it is a severe flaw exploitable with "one click," leading to a "game over" scenario. Its nature allows attackers to potentially steal data, disrupt applications, or deploy malware across a wide variety of affected frameworks.
## Exploitation
- Status: **Exploited in the wild**. Rapidly growing activity observed across nation-state attackers, cybercriminals, botnets, and threat groups targeting cryptocurrency theft and cryptojacking.
- Complexity: Described by an expert as a "one click" vulnerability, suggesting **Low** execution complexity for the attacker once the vulnerable instance is identified.
- Attack Vector: Implied to be network-accessible, targeting any exposed instance running the vulnerable components.
## Impact
- Confidentiality: High (Attackers seek valuable data).
- Integrity: High (Potential for deployment of ransomware tooling and malware).
- Availability: High (Attacks observed aimed at knocking down systems for extortion efforts).
## Remediation
### Patches
- Specific patch versions are not detailed in this article, but action is urgent. CISA mandated a shortened deadline (Friday, following the article date) for federal agencies to comply. It is implied that vendor patches were released shortly before or during the disclosure timeframe ("disclosed last week").
### Workarounds
- Organizations are strongly urged to treat this as a "**patch-now situation**."
- General mitigation involves patching immediately due to widespread, simultaneous exploitation observed across the threat landscape.
## Detection
- Indicators of Compromise: **Botnet deployments (e.g., Mirai bot deployments) and coin-miners** are being observed as low-skill exploitation artifacts. Evidence linking exploitation to tooling previously used by **ransomware groups** has also been noted.
- Detection Methods and Tools: Organizations involved (Unit 42, Rapid7, Wiz) are actively tracking intrusion clusters, suggesting threat intelligence platforms are key to detection. Organizations should monitor for signs of newly deployed crypto-mining or unknown persistent processes.
## References
- Vendor advisories: Implied to be available from the respective maintainers of React, Next.js, etc., following the disclosure date of the vulnerability.
- Relevant links:
- CISA KEV Catalog entry for CVE-2025-55182 (Added last week).
- Shadowserver dashboard tracking vulnerable instances: hxxps://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&data_set=count&scale=log&auto_update=on
- VulnCheck PoC observations: hxxps://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem