Find notable cyber news and cases, enriched with sources, timelines, and signals.
Exploitation Wave Campaign ×2 Security Patch Release Vulnerability

React2Shell exploitation with ransomware and broad probing

Updated 06.04.2026 18:31
Case score 71
Case score 71 Members 5 Latest activity 06.04.2026 18:31
Active exploitation Patch available CVSS: 10.0 Critical
Members 5 First seen 03.12.2025 20:19 Last seen 20.02.2026 23:07 Updated 06.04.2026 18:31

Overview

**CVE-2025-55182** is being actively abused against **React Server Components** and **Next.js** deployments, with one observed intrusion using the flaw to deploy **Weaxor ransomware** in under a minute and another campaign dropping **EtherRAT** for persistent access. Separate probes tied to **Earth Lamia** and **Jackpot Panda** also attempted the same flaw alongside **CVE-2025-1338**, showing fast operationalization across both targeted intrusion and broad scanning. React has released fixed package versions, and adjacent **CVE-2025-55183** updates address a source-code leak in related RSC packages. Operators should patch exposed systems and check internet-facing React instances for compromise markers, but the full reach of exploitation remains unquantified.

Signals

14 derived
Impact signals
Exploitation
CVSS 10.0 Critical Exploitation Active exploitation
Affected impact
Affected service
CVEs/products
CVE CVE CVE
Victims/regions
Victim region United States
Remediation
Urgency Immediate Remediation Patch available
Status
Campaign status Active
Threat context
Tooling Ransomware Actor Earth Lamia Actor Jackpot Panda

Malware context

25 families · 9 tools
Tools
Cobalt Strike CowTunnel Fast Reverse Proxy (FRP) Gitleaks MeshAgent NEXUS Listener React2Shell Sliver C2 framework +1

Member happenings

5 related
Exploitation Wave React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Updated 20.02.2026 23:07 Lead Contribution 64
Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang** that used the flaw for initial access and deployed **Weaxor ransomware** in **less than a minute**. **S-RM** observed the attack on **December 5, 2025**, and the post-exploitation chain included **Cobalt Strike**, **Windows Defender** tampering, and **log clearing**. The incident is part of a broader exploitation wave that began after public disclosure on **December 3, 2025** and has drawn multiple threat actors. | **CVE-2025-55182 (React2Shell)** is an **insecure deserialization** issue in the **React Server Components (RSC) 'Flight' protocol** used by **React** and the **Next.js framework**. It can be exploited remotely without authentication to execute JavaScript in the server's context. The flaw has been used in **cyberespionage**, **malware delivery**, and **cryptomining** campaigns, underscoring the risk to exposed **React/Next.js-based systems**.

Campaign Earth Lamia and Jackpot Panda broad multi-CVE scanning campaign
Updated 05.12.2025 16:10 Scoring Support Contribution 2
Campaign Active Patch Patch Available

**Earth Lamia** and **Jackpot Panda** mounted a **broad multi-CVE scanning campaign** that quickly weaponized **CVE-2025-55182 / React2Shell**, raising the chance that unpatched systems would be hit before defenders could respond. The operation also probed for **other N-day flaws**, including **CVE-2025-1338**, showing an attempt to broaden reach beyond a single bug. Probes observed in **AWS MadPot** included discovery commands and file access attempts, indicating active follow-on reconnaissance. The campaign matters because it combines **rapid public-exploit adoption** with **simultaneous scanning** across multiple vulnerabilities.

Vulnerability React Server Components source code leak security flaw (CVE-2025-55183)
Updated 12.12.2025 10:55 Scoring Support Contribution 2
Data Type Source Code CVSS 10.0 Critical Patch Patch Available

**CVE-2025-55183** discloses a **React Server Components** information leak that could expose the **source code of any Server Function** in affected **react-server-dom-parcel**, **react-server-dom-turbopack**, and **react-server-dom-webpack** builds. The flaw matters because a **crafted HTTP request** can trigger the leak on vulnerable **Server Function** endpoints, and fixes are now available.

Campaign React2Shell exploitation campaign delivering EtherRAT
Updated 09.12.2025 19:15 Scoring Support Contribution 2
Campaign Active

The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activity follows public disclosure of **CVE-2025-55182** and targets **React Server Components** and related frameworks. Some of the observed tradecraft overlaps with **North Korean**-linked tooling, while other attempts deploy miners or credential harvesters. The mix of payloads shows an active, multi-actor abuse of a critical **RCE** flaw.

Security Patch Release React Team security patch release for CVE-2025-55182
Updated 03.12.2025 20:19 Context
CVSS 10.0 Critical Urgency Immediate Patch Patch Available

The **React Team** released fixed **React Server Components** package versions, closing a **maximum-severity RCE** path in affected deployments. The updates land in **19.0.1, 19.1.2, and 19.2.1** for **react-server-dom-webpack**, **react-server-dom-parcel**, and **react-server-dom-turbopack**. The patch matters because the flaw can let an attacker achieve **unauthenticated remote code execution** through unsafe RSC payload decoding.