React2Shell Exploit Used to Hijack Web Traffic via NGINX Configurations

Timeline

1. 05.02.2026 06:56 1 articles · 18h ago

   React2Shell Exploit Used to Hijack Web Traffic via NGINX Configurations

   Threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in NGINX servers to hijack web traffic. The campaign targets Asian TLDs, Chinese hosting infrastructure, and government/educational domains. Malicious NGINX configurations redirect traffic through attacker-controlled servers. The attack involves a multi-stage toolkit with scripts for persistence and traffic redirection. Two IP addresses account for 56% of exploitation attempts, with distinct post-exploitation payloads observed. Additionally, a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure was discovered, using residential proxies and an Azure IP address.

   Show sources

   • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

   Open in new tab

Information Snippets

• Threat actors are exploiting CVE-2025-55182 (React2Shell) in NGINX servers to hijack web traffic.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government/educational TLDs (.edu, .gov).

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• Malicious NGINX configurations intercept legitimate web traffic and route it through attacker-controlled servers.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• The attack involves a multi-stage toolkit with scripts for persistence and traffic redirection.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• Two IP addresses (193.142.147[.]209 and 87.121.84[.]24) account for 56% of all observed exploitation attempts.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• A total of 1,083 unique source IP addresses have been involved in React2Shell exploitation between January 26 and February 2, 2026.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• Distinct post-exploitation payloads include retrieving cryptomining binaries and opening reverse shells.

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56

• A coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure was discovered, using residential proxies and an Azure IP address (52.139.3[.]76).

  First reported: 05.02.2026 06:56
  1 source, 1 article
  Show sources

  • Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56