React2Shell exploitation with ransomware and broad probing

**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang** that used the flaw for initial access and deployed **Weaxor ransomware** in **less than a minute**. **S-RM** observed the attack on **December 5, 2025**, and the post-exploitation chain included **Cobalt Strike**, **Windows Defender** tampering, and **log clearing**. The incident is part of a broader exploitation wave that began after public disclosure on **December 3, 2025** and has drawn multiple threat actors. | **CVE-2025-55182 (React2Shell)** is an **insecure deserialization** issue in the **React Server Components (RSC) 'Flight' protocol** used by **React** and the **Next.js framework**. It can be exploited remotely without authentication to execute JavaScript in the server's context. The flaw has been used in **cyberespionage**, **malware delivery**, and **cryptomining** campaigns, underscoring the risk to exposed **React/Next.js-based systems**.

**Earth Lamia** and **Jackpot Panda** mounted a **broad multi-CVE scanning campaign** that quickly weaponized **CVE-2025-55182 / React2Shell**, raising the chance that unpatched systems would be hit before defenders could respond. The operation also probed for **other N-day flaws**, including **CVE-2025-1338**, showing an attempt to broaden reach beyond a single bug. Probes observed in **AWS MadPot** included discovery commands and file access attempts, indicating active follow-on reconnaissance. The campaign matters because it combines **rapid public-exploit adoption** with **simultaneous scanning** across multiple vulnerabilities.

**CVE-2025-55183** discloses a **React Server Components** information leak that could expose the **source code of any Server Function** in affected **react-server-dom-parcel**, **react-server-dom-turbopack**, and **react-server-dom-webpack** builds. The flaw matters because a **crafted HTTP request** can trigger the leak on vulnerable **Server Function** endpoints, and fixes are now available.

The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activity follows public disclosure of **CVE-2025-55182** and targets **React Server Components** and related frameworks. Some of the observed tradecraft overlaps with **North Korean**-linked tooling, while other attempts deploy miners or credential harvesters. The mix of payloads shows an active, multi-actor abuse of a critical **RCE** flaw.

The **React Team** released fixed **React Server Components** package versions, closing a **maximum-severity RCE** path in affected deployments. The updates land in **19.0.1, 19.1.2, and 19.2.1** for **react-server-dom-webpack**, **react-server-dom-parcel**, and **react-server-dom-turbopack**. The patch matters because the flaw can let an attacker achieve **unauthenticated remote code execution** through unsafe RSC payload decoding.