Exploitation Wave
Campaign ×2
Security Patch Release
Vulnerability
React2Shell exploitation with ransomware and broad probing
Updated 06.04.2026 18:31
Case score 71
Score breakdown
- Total
- 71
- Lead score
- 64
- Support bonus
- +7 / 20
- Scoring support
- 3
- Context members
- 1
Top contributors
- Exploitation Wave Core exploitation wave and principal activity. base
- Campaign Shows the flaw used to deliver EtherRAT and maintain persistent access. support
- Campaign Shows rapid multi-CVE scanning and early exploitation by named actors. support
- Security Patch Release Provides the fixed React Server Components package line and remediation path. context
Case score 71
Members 5
Latest activity 06.04.2026 18:31
Active exploitation
Patch available
CVSS: 10.0 Critical
Active exploitation
Patch available
CVSS: 10.0 Critical
Members 5
First seen 03.12.2025 20:19
Last seen 20.02.2026 23:07
Updated 06.04.2026 18:31
Overview
**CVE-2025-55182** is being actively abused against **React Server Components** and **Next.js** deployments, with one observed intrusion using the flaw to deploy **Weaxor ransomware** in under a minute and another campaign dropping **EtherRAT** for persistent access. Separate probes tied to **Earth Lamia** and **Jackpot Panda** also attempted the same flaw alongside **CVE-2025-1338**, showing fast operationalization across both targeted intrusion and broad scanning.
React has released fixed package versions, and adjacent **CVE-2025-55183** updates address a source-code leak in related RSC packages. Operators should patch exposed systems and check internet-facing React instances for compromise markers, but the full reach of exploitation remains unquantified.
Attackers are actively exploiting **CVE-2025-55182** in **React Server Components** and **Next.js** environments. One observed intrusion used the flaw for initial access and deployed **Weaxor ransomware** in less than a minute. The post-exploitation chain included an obfuscated **PowerShell** command, a **Cobalt Strike** beacon, **Windows Defender** tampering, and log clearing. The attacker left **.WEAX** files and **RECOVERY INFORMATION.txt** ransom notes.
The same vulnerability has also been used for cyberespionage, malware delivery, and cryptomining, showing that abuse of exposed **React** and **Next.js** systems remains active across multiple threat types. In parallel, a separate exploitation chain used **React2Shell** to drop **EtherRAT**, which resolves C2 through **Ethereum smart contracts** and adds multiple persistence mechanisms. Another set of probes from infrastructure associated with **Earth Lamia** and **Jackpot Panda** attempted **CVE-2025-55182** alongside **CVE-2025-1338** and used discovery commands like **whoami**, `/tmp/pwned.txt`, and `/etc/passwd`.
The React team released fixed **React Server Components** package versions on **2025-12-03** for **19.0.1**, **19.1.2**, and **19.2.1**. Related **CVE-2025-55183** fixes address a source-code leak in **react-server-dom-parcel**, **react-server-dom-turbopack**, and **react-server-dom-webpack**, with upgrades to **19.0.3**, **19.1.4**, or **19.2.3**. Operators should patch exposed React deployments and check internet-facing instances for compromise after remediation, but available evidence does not quantify the full reach of exploitation.