- React2Shell (CVE‑2025‑55182) Exploited to Compromise Hundreds of Systems Worldwide
- Groups linked to China and North Korea abuse the flaw for persistence, espionage and crypto mining
- Immediately patch to React versions 19.0.1, 19.1.2, or 19.2.1.
React2Shell, a critical severity vulnerability in React Server Components (RCS), has already been used to compromise “several hundred machines across a diverse set of organizations.”
This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.
In early December, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packages, affecting RCS. The bug, now named “React2Shell”, is tracked as CVE-2025-55182 and is assigned a severity score of 10/10 (critical).
Arbitrary commands, droppers and cryptominers
With React being one of the most popular JavaScript libraries out there and powering much of the internet today, researchers warned that exploitation was imminent and urged everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Now, Microsoft says these warnings have come true, as numerous threat actors have abused the flaw to execute arbitrary commands, remove malware, and move laterally throughout the target infrastructure, successfully blending in with other legitimate traffic.
Redmond also emphasized that the number of attacks increased after React publicly revealed the findings, as more threat actors deployed memory-based downloaders and cryptominers.
Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, had been seen using the bug to target organizations in different verticals.
Targets are located around the world, from Latin America to the Middle East and Southeast Asia. Companies in financial services, logistics, retail, IT companies, universities and government organizations are being attacked, with the aim of establishing persistence and cyber espionage.
Shortly after, researchers also observed North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to implement a novel malware persistence mechanism called EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “much more sophisticated” and represents a persistent access implant that combines techniques from at least three documented campaigns.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
