Key Takeaways
- The React2Shell vulnerability (CVE-2025-55182) allows unauthenticated attackers to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
- The vulnerability has a severity score of 10 and is considered easy to exploit, with default configurations being vulnerable.
- Multiple espionage actors and opportunistic criminal groups have targeted React2Shell, including China-nexus and Iran-linked actors.
- The vulnerability has been exploited to deliver various malware, including the Minocat tunneler and the KSwapDoor backdoor.
- Cloud service credentials, including those of Azure, Amazon Web Services, Google Cloud Platform, and Tencent Cloud, have been targeted in the wave of attacks.
Introduction to the Vulnerability
The React2Shell vulnerability, tracked as CVE-2025-55182, is a critical flaw in React Server Components that allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints. React Server Components is an ecosystem of frameworks, packages, and bundlers that allow React 19 applications to run parts of their logic on the server instead of the browser. The vulnerability has a severity score of 10 and is considered easy to exploit, with default configurations being vulnerable. This means that tens of thousands of devices running across several thousand organizations that use React, or applications based on React, are potentially at risk.
Exploitation and Attackers
Microsoft researchers warned that "several hundred machines" across a wide range of organizations have been compromised via the exploitation of the React2Shell vulnerability. Researchers at Google Threat Intelligence Group (GTIG) noted that multiple espionage actors and opportunistic criminal groups have targeted React2Shell. A China-nexus espionage group tracked as UNC6600 has been exploiting the flaw to deliver the Minocat tunneler, which helps attackers maintain covert communications with a compromised system. In addition, two other threat actors tied to China — UNC6588 and UNC6603 — have been spotted dropping backdoors onto victim systems in attacks targeting the vulnerability. GTIG researchers have also observed suspected Iran-linked actors exploiting the flaw, although they did not provide additional details on that activity.
Malware and Tools Used in Attacks
The React2Shell vulnerability has been exploited to deliver various malware and tools. Researchers at Palo Alto Networks have observed the deployment of a new backdoor called KSwapDoor, which is a professionally engineered remote access tool. The tool is used to build an internal mesh network that allows compromised servers to communicate with each other. Attackers have also been seen running arbitrary commands, including reverse shells to known Cobalt Strike servers, in React2Shell attacks. They have used remote monitoring and management tools, including MeshAgent, to gain persistence. The use of these tools and malware suggests that attackers are attempting to establish a persistent presence within compromised networks.
Cloud-Credential Theft and Exploitation Activity
Microsoft said that cloud service credentials have been targeted in the wave of attacks, including those of Azure Instance Metadata Service endpoints for Azure, Amazon Web Services, Google Cloud Platform, and Tencent Cloud. The company noted that exploitation activity began as early as December 5. The vulnerability was reported to React in late November by security researcher Lachlan Davidson through the Meta Bug Bounty program. React issued a patch earlier this month for the original flaw; however, late last week, additional flaws were disclosed, including CVE-2025-55814 and CVE-2025-67779. This suggests that the vulnerability is still being actively exploited and that organizations should take immediate action to patch their systems and protect their cloud service credentials.
Conclusion and Recommendations
The React2Shell vulnerability is a critical flaw that has been exploited by multiple threat actors to deliver malware and steal cloud service credentials. Organizations that use React or applications based on React should take immediate action to patch their systems and protect their cloud service credentials. This includes applying the latest security updates and implementing additional security measures, such as monitoring for suspicious activity and using secure authentication mechanisms. By taking these steps, organizations can help prevent the exploitation of the React2Shell vulnerability and protect their networks from potential attacks.