Plugging the React2Shell vulnerability in the open source React server and Next.js in IT environments has just become even more urgent with reports that exploits are already in the wild.
Researchers at Greynoise said today they are seeing “opportunistic, largely automated exploitation attempts” trying to take advantage of the unsafe deserialization vulnerability in React Server Components (RSC).
There’s an early focus on attacking just this vulnerability, the report adds, “but we’ve already detected a slow migration of this CVE being added to Mirai and other botnet exploitation kits.”
Praetorian cybersecurity rating report: https://www.rankiteo.com/company/praetorian
"id": "PRA1764979396",
"linkid": "praetorian",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Technology, Web Development',
'location': None,
'name': None,
'size': None,
'type': 'IT Environments'}],
'attack_vector': 'Unsafe Deserialization',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'Exploits targeting the React2Shell vulnerability '
'in open-source React server and Next.js '
'environments are being observed in the wild. '
'Researchers at Greynoise reported opportunistic, '
'automated exploitation attempts leveraging the '
'unsafe deserialization vulnerability in React '
'Server Components (RSC). The vulnerability is '
'also being integrated into Mirai and other '
'botnet exploitation kits.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components, Next.js '
'environments'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Opportunistic exploitation, botnet recruitment',
'post_incident_analysis': {'corrective_actions': 'Apply security '
'patches for '
'React and '
'Next.js, '
'enhance '
'monitoring for '
'exploitation '
'attempts',
'root_causes': 'Unsafe '
'deserialization '
'vulnerability in '
'React Server '
'Components (RSC)'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Urgent patching of React Server Components '
'and Next.js to mitigate React2Shell '
'vulnerability. Monitor for signs of botnet '
'integration or automated exploitation '
'attempts.',
'references': [{'date_accessed': None,
'source': 'Greynoise',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Patch React Server '
'Components and Next.js',
'third_party_assistance': None},
'threat_actor': 'Automated attackers, Mirai botnet operators',
'title': 'React2Shell Vulnerability Exploitation in React Server '
'and Next.js',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'React2Shell (CVE not specified)'}}