- React2Shell (CVE‑2025‑55182) exploited to compromise hundreds of systems worldwide
- China‑linked groups and North Korea abuse flaw for persistence, espionage, and cryptomining
- Patch immediately to React versions 19.0.1, 19.1.2, or 19.2.1.
React2Shell, a critical severity vulnerability in React Server Components (RCS), was already used to compromise “several hundred machines across a diverse set of organizations”.
This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.
In early December, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting RCS. The bug, now dubbed “React2Shell”, is tracked as CVE-2025-55182, and is given a severity score of 10/10 (critical).
Arbitrary commands, droppers, and cryptominers
Given that React is one of the most popular JavaScript libraries out there, powering much of today’s internet, researchers warned that exploitation was imminent, urging everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Now, Microsoft says these warnings have come true, as numerous threat actors have abused the flaw to run arbitrary commands, drop malware, and move laterally throughout the target infrastructure, successfully blending with other legitimate traffic.
Redmond also stressed that the number of attacks increased after React publicly disclosed the findings, as more threat actors moved in to deploy memory-based downloaders and cryptominers.
Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, have been seen using the bug to target organizations in different verticals.
Targets are located all over the world, from Latin America to the Middle East and Southeast Asia. Financial services firms, logistics, retail, IT companies, universities, and government organizations are all being attacked – with the goal of the attacks being establishing persistence and cyber-espionage.
Soon afterwards, researchers also observed North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to deploy a novel persistence mechanism malware dubbed EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “far more sophisticated”, representing a persistent access implant that combines the techniques from at least three documented campaigns.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
