Unnamed IT Sector Organizations and React Server Components: Attackers Exploiting React2Shell Vulnerability to Attack IT Sectors

React2Shell Exploits Target Insurance, E-Commerce, and IT Sectors in Rapid Cyberattacks

Threat actors are actively exploiting CVE-2025-55182 (React2Shell), a critical vulnerability in React Server Components, to compromise organizations in the insurance, e-commerce, and IT sectors. The flaw stems from insecure deserialization in the Flight protocol, enabling attackers to execute unauthorized code on vulnerable servers.

Exploitation campaigns have moved swiftly, with adversaries weaponizing the vulnerability within hours of disclosure. While many critical flaws never see real-world use, React2Shell has become a prime target, delivering XMRig cryptocurrency miners, botnets, and remote access tools.

Attack Scope and Malware Payloads

• Russian entities faced attacks deploying RustoBot and Kaiji botnets, which conduct DDoS attacks and establish persistence via systemd services, crontab tasks, and modified system utilities.
• Global campaigns distributed a broader range of malware, including:
  • CrossC2 implants (Cobalt Strike payloads with AES-128-CBC encryption)
  • Tactical RMM (remote management tool abuse)
  • VShell backdoors
  • EtherRAT (JavaScript-based malware retrieving C2 addresses from Ethereum smart contracts)

Affected Systems and Patches

React2Shell impacts multiple React Server Component packages, including:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, 19.2.0)

Patches are available in versions 19.0.1, 19.1.2, and 19.2.1, but security experts warn that patching alone is insufficient. Organizations must also scan for post-exploitation activity, as attackers often deploy multiple malicious tools in a single breach.

Infection Mechanism

1. Initial Access: Attackers exploit React2Shell to execute commands in compromised containers.
2. Malware Deployment: Bash scripts (e.g., wocaosinm.sh, setup2.sh) download architecture-specific payloads, including:
   • Kaiji botnet (DDoS attacks, persistence via systemd/crontab)
   • XMRig miner (version 6.24.0, with CPU throttling to evade detection)
3. Data Exfiltration: Attackers use DNS tunneling (nslookup) to encode and transmit stolen data via subdomain queries.
4. Persistence Techniques:
   • CrossC2 payloads disguise themselves as "Rsyslo AV Agent Service" via systemd.
   • EtherRAT employs five persistence methods, including XDG Autostart, .bashrc, and .profile modifications.

Mitigation Recommendations

Beyond patching, organizations should:

• Verify Next.js versions and dependencies
• Rebuild projects after updates
• Check lock files to ensure vulnerable packages are removed
• Restrict experimental React Server Components in production unless fully patched

The attacks highlight the speed and sophistication of modern cyber threats, with adversaries rapidly adapting to newly disclosed vulnerabilities.

Source: https://cybersecuritynews.com/attackers-exploiting-react2shell-vulnerability/

InfraShield cybersecurity rating report: https://www.rankiteo.com/company/infrashield-com

Reaction Commerce (acquired by Mailchimp) cybersecurity rating report: https://www.rankiteo.com/company/reaction-commerce

"id": "INFREA1769533068",
"linkid": "infrashield-com, reaction-commerce",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': ['Insurance', 'E-commerce', 'IT'],
                        'location': 'Global (with targeted attacks on Russian '
                                    'entities)',
                        'type': 'Organization'}],
 'attack_vector': 'Insecure deserialization in React Server Components (Flight '
                  'protocol)',
 'data_breach': {'data_exfiltration': 'Possible via DNS tunneling (nslookup)'},
 'description': 'Threat actors are actively exploiting CVE-2025-55182 '
                '(React2Shell), a critical vulnerability in React Server '
                'Components, to compromise organizations in the insurance, '
                'e-commerce, and IT sectors. The flaw stems from insecure '
                'deserialization in the Flight protocol, enabling attackers to '
                'execute unauthorized code on vulnerable servers. Exploitation '
                'campaigns have moved swiftly, delivering XMRig cryptocurrency '
                'miners, botnets, and remote access tools.',
 'impact': {'data_compromised': 'Potential data exfiltration via DNS tunneling',
            'operational_impact': 'DDoS attacks, unauthorized remote access, '
                                  'system resource consumption (cryptocurrency '
                                  'mining)',
            'systems_affected': 'Servers running vulnerable React Server '
                                'Components (react-server-dom-webpack, '
                                'react-server-dom-parcel, '
                                'react-server-dom-turbopack)'},
 'initial_access_broker': {'backdoors_established': ['CrossC2 implants',
                                                     'VShell backdoors',
                                                     'EtherRAT'],
                           'entry_point': 'React2Shell vulnerability '
                                          '(CVE-2025-55182)'},
 'lessons_learned': 'Modern cyber threats adapt rapidly to newly disclosed '
                    'vulnerabilities, requiring immediate patching and '
                    'post-exploitation scanning. Restricting experimental '
                    'React Server Components in production is advised.',
 'motivation': ['Financial gain (cryptocurrency mining)',
                'Botnet deployment',
                'Remote access'],
 'post_incident_analysis': {'corrective_actions': ['Patching vulnerable '
                                                   'packages',
                                                   'Rebuilding projects with '
                                                   'updated dependencies',
                                                   'Restricting experimental '
                                                   'React Server Components in '
                                                   'production'],
                            'root_causes': 'Insecure deserialization in React '
                                           'Server Components (Flight '
                                           'protocol)'},
 'recommendations': ['Patch vulnerable React Server Components to versions '
                     '19.0.1, 19.1.2, or 19.2.1',
                     'Rebuild projects after updates and verify lock files to '
                     'remove vulnerable packages',
                     'Scan for post-exploitation activity (e.g., Kaiji botnet, '
                     'XMRig miners, CrossC2 implants)',
                     'Restrict experimental React Server Components in '
                     'production unless fully patched',
                     'Monitor for DNS tunneling and unusual systemd/crontab '
                     'modifications'],
 'references': [{'source': 'Cyber Incident Description'}],
 'response': {'enhanced_monitoring': 'Recommended to detect post-exploitation '
                                     'activity',
              'remediation_measures': 'Patching vulnerable React Server '
                                      'Components to versions 19.0.1, 19.1.2, '
                                      'or 19.2.1; scanning for '
                                      'post-exploitation activity'},
 'title': 'React2Shell Exploits Target Insurance, E-Commerce, and IT Sectors',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}