Full Report
Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it through the attacker's infrastructure. Datadog Security Labs said it observed threat actors associated with the recent React2Shell (CVE-2025-55182, CVSS score: 10.0) exploitation using malicious NGINX
Analysis Summary
# Vulnerability: Web Traffic Hijacking via React2Shell Exploitation in NGINX
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Not specified in the context, but related to exploitation enabling configuration file modification.
## Affected Systems
- Products: NGINX installations, Baota (BT) Management Panel.
- Versions: Not specified, but any version vulnerable to CVE-2025-55182 (React2Shell) that allows for NGINX configuration manipulation.
- Configurations: Installations targeted include those serving Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government/educational TLDs (.edu, .gov).
## Vulnerability Description
The current threat involves threat actors leveraging initial access gained via exploitation of **CVE-2025-55182 (React2Shell)**. Upon successful initial compromise, attackers use a multi-stage toolkit containing shell scripts (e.g., `zx.sh`, `bt.sh`, `4zdh.sh`, `zdh.sh`) to inject malicious configurations into NGINX. These malicious configurations use the `proxy_pass` directive within specific `location` blocks to intercept legitimate web traffic and redirect it to attacker-controlled backend servers. The toolkit also facilitates persistence.
## Exploitation
- Status: Exploited in the wild (Active campaign observed targeting specific TLDs and infrastructure).
- Complexity: Relies on initial successful exploitation of CVE-2025-55182. Exploitation of the NGINX configuration stage appears automated via scripts.
- Attack Vector: Network (Leveraging the initial RCE/arbitrary code execution via CVE-2025-55182).
## Impact
- Confidentiality: High (Traffic intercepted and routed through attacker infrastructure).
- Integrity: High (Web traffic is being modified and rerouted).
- Availability: Moderate (Potential disruption depending on the scope and staging of malicious redirection).
## Remediation
### Patches
- **Mandatory Action:** Apply the patch for **CVE-2025-55182 (React2Shell)** immediately, as this is the prerequisite for this traffic hijacking campaign. Specific NGINX or Baota patches were not detailed in this context.
### Workarounds
- Review NGINX configuration files (`/etc/nginx/conf.d/`, etc.) for suspicious modifications, particularly the injection of new or modified `location` blocks containing unauthorized `proxy_pass` directives redirecting traffic.
- Ensure strong host hardening and access controls to prevent the execution of the observed shell scripts (`zx.sh`, `bt.sh`, etc.).
## Detection
- **Indicators of Compromise:**
- Presence of the observed shell scripts (`zx.sh`, `bt.sh`, `4zdh.sh`, `zdh.sh`, `ok.sh`) on the server.
- Emergence of new, suspicious `location` blocks in NGINX configuration files using `proxy_pass` to external, unknown domains.
- Outbound connections from NGINX processes to suspicious external IPs, especially those associated with known C2 infrastructure (e.g., observed IPs: 193.142.147[.]209 and 87.121.84[.]24).
- Post-exploitation activity involving cryptomining binary retrieval or reverse shell execution being dropped on compromised systems.
- **Detection Methods and Tools:**
- Monitor NGINX access and error logs for unusual request patterns or redirects.
- Use Endpoint Detection and Response (EDR) to monitor the execution of shell scripts (`curl`, `wget`, or raw TCP connections used by `zx.sh`).
- File integrity monitoring on critical NGINX configuration directories.
## References
- Datadog Security Labs Post: hxxps://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
- GreyNoise Analysis on React2Shell Exploitation: hxxps://labs.greynoise.io/grimoire/2026-02-02-react2shell-exploitation-consolidates/index.html