Attackers are rapidly exploiting a critical vulnerability, dubbed React2Shell, that affects React Server Components shortly after it was publicly disclosed with a patch. The vulnerability, identified and patched by Meta and the React team on Wednesday, has quickly become a target for threat actors with diverse motivations and origins.
Multiple security firms have reported observing active exploitation of the flaw in the wild, although initial reports suggested limited activity focused on scanning and initial attempts rather than full-blown attacks. However, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed the situation by adding the vulnerability, identified as CVE-2025-55182, to its list of actively exploited vulnerabilities on Friday.
Exploitation and varying response to React2Shell vulnerability
The deserialization vulnerability, which carries a maximum CVSS score of 10 and permits unauthenticated remote code execution, has highlighted a division within the cybersecurity research community. While many threat analysts are concerned about the potential downstream effects of this vulnerability, some are advising a more measured approach to defense, suggesting less immediate urgency.
Debate continues regarding the extent of actual exploitation versus proof-of-concept demonstrations. Some researchers indicate they have seen functional proof-of-concept exploits, while others assert that validated exploits are still scarce. Nevertheless, multiple researchers investigating the aftermath have confirmed that real organizations have already been affected by attacks.
Observations from security firms
Palo Alto Networks’ incident response unit, Unit 42, along with watchTowr and Wiz, have all reported observing successful exploitation and subsequent malicious activities. According to Justin Moore, senior manager of threat intelligence research at Unit 42, his team has confirmed several affected organizations across various sectors. These observations include scanning for remote-code execution, reconnaissance, attempted theft of Amazon Web Services configuration and credential files, and the deployment of downloaders to retrieve payloads from attacker infrastructure.
As of Friday midday, Unit 42 had identified approximately 10 impacted organizations and was continuing its investigation into the full scope of compromisation. Ben Harris, CEO and founder of watchTowr, described the observed exploitation as indiscriminate, rapid, and prolific. Post-exploitation activities witnessed by his team ranged from basic credential extraction to the deployment of webshells as a means to gain further access.
Amitai Cohen, threat vector intelligence lead at Wiz, stated that multiple Wiz customer environments have also fallen victim to successful exploitation. So far, Wiz has observed the deployment of cryptojacking malware and attempts to exfiltrate cloud credentials from compromised machines. These early-stage activities are consistent with common post-exploitation goals such as resource hijacking and establishing persistence.
Scope of impact and threat actor activity
Researchers from various firms have reported an increase in exploitation attempts, both successful and unsuccessful, following the release of public proof-of-concept exploits. The potential reach of this vulnerability is considerable, with Wiz Research indicating that 39% of cloud environments host instances of React or Next.js, a popular open-source framework that relies on React Server Components, running versions vulnerable to CVE-2025-55182.
Cohen further noted that the Next.js framework is present in 69% of environments, and 44% of all cloud environments have publicly accessible Next.js instances, irrespective of the version. Complicating matters, Vercel, the company behind Next.js, disclosed and patched its own critical vulnerability (CVE-2025-66478) on Wednesday. However, this CVE was later identified as a duplicate of the core React defect.
Multiple threat groups are reportedly mobilizing resources to exploit the vulnerability for a range of objectives. Harris indicated that the availability of remote-code execution proof-of-concept exploits suggests that ransomware gangs, who are known to capitalize on such opportunities, are likely to follow.
Within hours of the public disclosure, Amazon threat intelligence teams observed active exploitation attempts by several China-linked threat groups, including Earth Lamia and Jackpot Panda, according to CJ Moses, chief information security officer of Amazon Integrated Security. Unit 42 also reported tracking attempted exploitation from several potential China-linked threat actors and cybercriminals.
Noah Stone, head of content at GreyNoise Intelligence, confirmed that automated, opportunistic exploitation attempts based on publicly released proof-of-concept exploits have been widespread. The company’s sensors have detected malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan, and Singapore, targeting services in the United States, Pakistan, India, Singapore, and the United Kingdom.
Caitlin Condon, vice president of research at VulnCheck, stated that the company’s decoy systems, designed to provide early warnings of exploitation, have also detected exploitative scanning. VulnCheck’s analysis of patch rates on exposed Next.js applications revealed a low adoption of patches among vulnerable systems.
The process of patching and mitigating the React2Shell vulnerability is not without its own challenges. Cloudflare reported a temporary outage on Friday that was triggered by modifications made to its body parsing logic, implemented to detect and mitigate the vulnerability.
While security researchers continue to debate the efficacy of proof-of-concept exploits and the visibility into ongoing attacks varies across the community, the vulnerability affecting a widely adopted application framework has undeniably captured significant attention. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, described the situation as a “real rollercoaster.”