Threat actors are actively exploiting a critical insecure-deserialization flaw in React Server Components—tracked as CVE-2025-55182 and dubbed React2Shell—to achieve remote code execution across multiple industries. Exploitation has led to widespread deployment of miners and botnets such as XMRig, RustoBot, Kaiji, Sliver, and EtherRAT, with persistence via systemd/cron, container escape chains, DNS tunneling, and Ethereum-based C2. #React2Shell #XMRig
Keypoints
- CVE-2025-55182 (React2Shell) enables remote code execution via insecure deserialization in the Flight protocol of React Server Components.
- Vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0–19.2.0; patches were released in 19.0.1, 19.1.2, and 19.2.1.
- Observed payloads include XMRig, RustoBot, Kaiji (Ares build), Sliver, EtherRAT, CrossC2 (Cobalt Strike), Tactical RMM, and VShell.
- Attackers used container-based execution and chained Base64-encoded commands to download binaries, establish persistence via systemd and cron, and erase forensic traces.
- Campaigns featured cryptocurrency mining, DDoS capabilities, DNS-based data exfiltration, and Ethereum smart contract–derived C2 for stealthy long-term access across multiple sectors and countries.
Read More: https://thecyberexpress.com/cve-2025-55182-react2shell-active-exploitation/