React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors

React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors

The React2Shell vulnerability (CVE-2025-55182), a critical remote code execution flaw in React Server Components, is being actively exploited to deliver cryptocurrency miners and previously undocumented malware. Huntress researchers first observed exploitation on December 4, 2025, with attackers targeting organizations across industries like construction and entertainment.

Why This Matters

Current security practices often rely on perimeter defenses and assume a degree of trust within the application itself. React2Shell demonstrates that vulnerabilities within core frameworks, even those running server-side, can bypass these defenses and lead to full system compromise. The widespread exploitation, affecting over 165,000 IP addresses as of December 8, 2025, highlights the potential for large-scale damage and significant remediation costs.

Key Insights

• CVE-2025-55182: A critical RCE vulnerability in React Server Components.
• PeerBlight: A Linux backdoor sharing code with older malware families like RotaJakiro and Pink (2021).
• Automated Exploitation: Attackers are leveraging automated tooling, evidenced by inconsistent OS targeting and consistent exploitation patterns.

Practical Applications

• Use Case: Financial services, high-tech, and government organizations are being targeted, indicating the vulnerability’s appeal to a broad range of threat actors.
• Pitfall: Relying solely on client-side security measures; server-side component vulnerabilities require dedicated attention.

References:

• https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html