Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 64
3 unique sources, 4 articles

Summary

Hide ▲

CVE-2025-55182 (React2Shell) is being actively exploited across React Server Components (RSC) and Next.js environments, with reports now adding a ransomware gang that used the flaw for initial access and deployed Weaxor ransomware in less than a minute. S-RM observed the attack on December 5, 2025, and the post-exploitation chain included Cobalt Strike, Windows Defender tampering, and log clearing. The incident is part of a broader exploitation wave that began after public disclosure on December 3, 2025 and has drawn multiple threat actors. | CVE-2025-55182 (React2Shell) is an insecure deserialization issue in the React Server Components (RSC) 'Flight' protocol used by React and the Next.js framework. It can be exploited remotely without authentication to execute JavaScript in the server's context. The flaw has been used in cyberespionage, malware delivery, and cryptomining campaigns, underscoring the risk to exposed React/Next.js-based systems.

Cases

React2Shell exploitation with ransomware and broad probing (5)

Related Happenings

Burst Statistics authentication bypass (CVE-2026-8181)

Vulnerability
First: 15.05.2026 00:07 Last: 15.05.2026 00:07 Sources 1

About this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...

Open Happening

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

Timeline

  1. 20.02.2026 23:07 4 articles · 3mo ago

    React2Shell scanning and targeting expand worldwide

    Campaign Scope Update

    An unknown, possibly state-sponsored threat actor uses the ILovePoop toolkit to probe tens of millions of IP addresses worldwide for exposed React systems, with targeting that includes government, defense, finance, and industrial organizations, while researchers assess the actor may be involved in state-sponsored espionage and note that React2Shell has also appeared in ransomware campaigns and other botnet activity.

    Show sources
    Open in new tab
  2. 17.12.2025 18:09 1 articles · 5mo ago

    React2Shell exploitation deploys Weaxor ransomware

    Technical Analysis Update

    On December 5, 2025, a threat actor exploited CVE-2025-55182 against a React/Next.js-based system at the affected organization, gained initial access, and deployed Weaxor ransomware less than a minute later. The attacker then executed an obfuscated PowerShell command to launch a Cobalt Strike beacon, disabled Windows Defender real-time protection, wiped volume shadow copies, cleared event logs, and left files with the .WEAX extension alongside RECOVERY INFORMATION.txt ransom notes.

    Show sources
    Open in new tab
  3. 03.12.2025 02:00 1 articles · 5mo ago

    React2Shell is publicly disclosed

    Initial Disclosure

    CVE-2025-55182, also known as React2Shell, is publicly disclosed as a remote code execution vulnerability in React Server Components that can let an attacker take full control of vulnerable web servers with a single web request, sometimes without authentication, and it is rated 10 out of 10 in CVSS.

    Show sources
    Open in new tab