Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday.
Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday.
Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.
A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout.
Advertisement
Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.
As of late Friday, Unit 42 has confirmed more than 30 orga
Source: https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
"id": "MET1765187845",
"linkid": "meta",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': None,
'location': None,
'name': None,
'size': None,
'type': 'Organizations using React Server '
'Components'}],
'attack_vector': 'Deserialization vulnerability in React Server '
'Components',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_publicly_disclosed': 'Wednesday (patch disclosure)',
'description': 'Attackers exploited a critical vulnerability '
'(CVE-2025-55182) in React Server Components, '
'allowing unauthenticated remote-code execution. '
'The flaw was disclosed by Meta and the React '
'team, with active exploitation observed in the '
'wild, though primarily limited to scanning and '
'attempts. Multiple security firms confirmed '
'successful exploitation and follow-on malicious '
'activity.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing (Unit 42 confirmed over 30 '
'organizations impacted)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Deserialization '
'vulnerability in '
'React Server '
'Components'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'CyberScoop',
'url': None},
{'date_accessed': 'Friday',
'source': 'CISA Known Exploited Vulnerabilities '
'Catalog',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'CISA '
'added '
'CVE-2025-55182 '
'to its '
'known '
'exploited '
'vulnerabilities '
'catalog'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Patch released by Meta and '
'React team',
'third_party_assistance': ["Palo Alto Networks' "
'Unit 42',
'watchTowr',
'Wiz']},
'threat_actor': ['Multiple origins and motivations'],
'title': 'React2Shell Vulnerability Exploitation',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182 (CVSS 10)'}}