The fallout from React2Shell, a critical vulnerability impacting vast portions of the internet’s infrastructure, continues to escalate. Public exploits and stealth backdoors are proliferating, revealing worrying details about the targets attackers are pursuing. Cybersecurity experts are reacting with mounting concern as cybercriminals, ransomware gangs, and nation-state threat groups actively exploit this maximum-severity defect.
Palo Alto Networks’ Unit 42 reports that over 60 organizations have been impacted by attacks leveraging CVE-2025-55182, the vulnerability publicly disclosed by Meta and the React team on December 3rd. Microsoft has confirmed “several hundred machines across a diverse set of organizations” compromised through exploitation leading to remote-code execution. Post-exploitation activities observed include the deployment of reverse shell implants, lateral movement, data theft, and measures to maintain persistent access to targeted networks.
Exploitation Landscape for React2Shell
The severity of React2Shell is amplified by an unprecedented number of publicly available exploits. This indicates the relative ease with which unauthenticated attackers can trigger the defect to gain elevated privileges and move laterally within targeted networks. As of Monday, VulnCheck confirmed approximately 180 validated public exploits for React2Shell, with dozens more under review.
Caitlin Condon, vice president of research at VulnCheck, stated, “React2Shell CVE-2025-55182 now has the highest verified public exploit count of any CVE.” Further complicating the situation, cleanup efforts for React2Shell led to the discovery of three new defects affecting React Server Components last week, including CVE-2025-55183 and CVE-2025-67779, which addresses a bypass for CVE-2025-55184.
Ongoing Patching Challenges
Researchers continue to urge organizations to apply the patch for CVE-2025-55182. However, they caution that some early versions of the patch do not address the newly discovered CVEs. Moreover, patching alone will not remove attackers who have already gained access to compromised systems.
Attacks originating from various sources and driven by different motivations are spreading globally. Google Threat Intelligence has observed financially motivated actors and at least five Chinese espionage groups exploiting the defect across multiple regions and industries. Google also identified attacks attributed to Iran.
Amazon previously reported that its threat intelligence teams detected exploitation attempts by groups like Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure. Cybersecurity firm S-RM detailed a ransomware attack on December 5th where React2Shell was used as an initial access vector, with attackers deploying Weaxor ransomware within a minute of gaining network access.
Widespread Targeting and Impact
Evidence of increased malicious activity is evident across the threat intelligence landscape. Cloudflare noted that multiple Asia-based threat groups have meticulously targeted networks in Taiwan, Xinjiang Uygur, Vietnam, Japan, and New Zealand. However, selective targeting has also been observed against U.S. government websites, academic research institutions, and critical infrastructure operators.
These critical infrastructure targets include a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel. While several U.S. state and federal agencies have been targeted, Blake Darché, head of threat intelligence at Cloudflare, confirmed no confirmed exploitation against them. The Cybersecurity and Infrastructure Security Agency declined to comment on specific attacks against government agencies.
Darché added, “Victimology has now evolved to be universal, with critical infrastructure targets just a small slice of all organizations and industries under attack.” The number of networks exploiting this vulnerability has reached all-time highs daily since its disclosure, according to Andrew Morris, founder and chief architect at GreyNoise.
React2Shell has caused widespread alarm in the two weeks since its disclosure. Researchers anticipate that this vulnerability will have long-lasting impacts. Austin Larsen, principal analyst at GTIG, believes it will be one of the more consequential defects observed under active exploitation this year. The initial debate surrounding the defect’s seriousness has largely concluded, with exploitation timelines shrinking from weeks to hours.
The next expected steps involve continued patching efforts and ongoing monitoring for emergent threats. Organizations must remain vigilant as attackers continue to leverage this vulnerability, and the full scope of its impact is still unfolding.