Threat actors are actively exploiting a critical vulnerability, CVE-2025-55182, also known as React2Shell, to target companies across the insurance, e-commerce, and IT sectors. This flaw allows attackers to execute unauthorized code on vulnerable servers by manipulating the Flight protocol used for React Server Components communication. The exploitation campaigns have been noted for their speed and sophistication, with attackers deploying various malware, including cryptocurrency miners and dangerous botnets.
BI.ZONE analysts have observed that adversaries can weaponize critical vulnerabilities within hours of their public disclosure, a trend exemplified by the rapid exploitation of React2Shell. The attacks leverage insecure deserialization, where servers fail to properly validate client-provided data, opening a pathway for malicious code execution. While patches have been released, BI.ZONE researchers emphasize that organizations must not only address the vulnerability but also thoroughly assess their systems for signs of successful exploitation and subsequent post-exploitation activities.
Attackers Deploying XMRig Miner and Sophisticated Botnets via React2Shell Vulnerability
The React2Shell vulnerability is present in multiple versions of React Server Component packages, specifically affecting versions of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in the 19.0, 19.1.0, 19.1.1, and 19.2.0 releases. Developers can mitigate this risk by updating to patched versions 19.0.1, 19.1.2, and 19.2.1. Beyond immediate patching, organizations are advised to verify their Next.js versions and dependencies, rebuild projects following updates, and inspect lock files to ensure vulnerable package versions have been removed.
For production environments, experts recommend restricting the use of experimental React Server Components features unless they are covered by the latest security patches. This proactive approach is crucial given the speed at which vulnerabilities are being weaponized in the wild. The targeted sectors highlight the broad impact this vulnerability can have on critical business operations.
Infection Mechanism and Malware Deployment Tactics
The attack chain typically commences when threat actors leverage the React2Shell vulnerability to gain command execution within compromised containers. Following initial access, attackers often download and execute Bash scripts from remote servers to deploy malicious payloads. One observed script, wocaosinm.sh, is used to download architecture-specific ELF executables, identified as belonging to the Kaiji botnet. This botnet is capable of launching distributed denial-of-service (DDoS) attacks and maintains persistence through various methods, including systemd services, crontab tasks, and modifications to existing system utilities.
Another common deployment method involves the setup2.sh script. This script is responsible for installing XMRig, a cryptocurrency miner, typically version 6.24.0. It achieves this by downloading a compressed archive containing the miner’s configuration files and executable. Subsequently, an alive.sh script is executed, designed to terminate any process consuming 40% or more of the CPU resources, with exceptions made for the XMRig miner and other whitelisted processes. This ensures the mining operation has dedicated resources.
Attackers also employ DNS tunneling, utilizing tools like nslookup to exfiltrate command execution results. Information is sent to external domains through encoded subdomain queries, a method that can be difficult to detect. The CrossC2 framework, often used in conjunction with Cobalt Strike, represents a more sophisticated attack vector. These payloads are typically UPX-packed executables containing encrypted configurations at the end of the file, which are then decrypted using the AES-128-CBC algorithm.
The check.sh script is observed saving these CrossC2 payloads, often disguised as rsyslo, and creating a systemd service for persistence. This service is frequently mislabeled as “Rsyslo AV Agent Service” to evade detection by security software. The EtherRAT malware showcases an impressive array of persistence techniques, establishing itself through five distinct methods: systemd services, XDG Autostart entries, crontab tasks, modifications to .bashrc, and alterations in .profile. This JavaScript-based malware retrieves its command-and-control server address from an Ethereum smart contract, a novel approach that challenges traditional network-based blocking mechanisms.
The ongoing exploitation of the React2Shell vulnerability remains a significant concern for organizations in vulnerable sectors. Staying informed about the latest threat intelligence and diligently applying security patches will be crucial in defending against these evolving attack methods. The attackers’ ability to rapidly adapt and deploy a diverse range of malware underscores the necessity for continuous vigilance and robust security practices.