S-RM: Critical React2Shell flaw exploited in ransomware attacks

Weaxor Ransomware Exploits React2Shell Vulnerability in Rapid Attacks

A ransomware gang leveraged the critical React2Shell vulnerability (CVE-2025-55182) to breach corporate networks and deploy Weaxor ransomware in under a minute. The flaw, an insecure deserialization issue in React Server Components (RSC) and Next.js, allows unauthenticated remote code execution on vulnerable servers.

First disclosed in late 2024, React2Shell quickly became a target for both nation-state hackers—deploying cyberespionage tools like EtherRAT—and cybercriminals, who used it for cryptocurrency mining. On December 5, researchers at S-RM observed the Weaxor ransomware operation exploiting the vulnerability in a real-world attack.

Weaxor, a rebrand of the Mallox/FARGO ransomware (active since 2024), is a low-complexity operation targeting public-facing servers with opportunistic attacks. Unlike more advanced ransomware groups, it does not exfiltrate data or use double-extortion tactics, instead demanding relatively modest ransoms.

The attack unfolded rapidly:

• Initial access via React2Shell was followed by an obfuscated PowerShell command deploying a Cobalt Strike beacon for command-and-control (C2).
• The threat actor disabled Windows Defender’s real-time protection before executing the ransomware payload.
• Encrypted files received the .WEAX extension, with ransom notes (RECOVERY INFORMATION.txt) left in affected directories.
• The attackers wiped volume shadow copies and cleared event logs to hinder recovery and forensic analysis.

Notably, the breach remained contained to the vulnerable endpoint, with no observed lateral movement. However, the same compromised host was later targeted by additional attackers, underscoring the high demand for React2Shell exploits.

S-RM researchers recommend monitoring for suspicious process creation—particularly cmd.exe or PowerShell spawned from node.exe—as well as unusual outbound connections, disabled security tools, and log tampering. While patching is critical, defenders should also review EDR telemetry for signs of exploitation.

Source: https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/

S-RM cybersecurity rating report: https://www.rankiteo.com/company/s-rm

"id": "S-R1765994181",
"linkid": "s-rm",
"type": "Ransomware",
"date": "12/2025",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'type': 'Corporate'}],
 'attack_vector': 'Insecure deserialization (React2Shell - CVE-2025-55182)',
 'data_breach': {'data_encryption': True},
 'date_detected': '2024-12-05',
 'description': 'A ransomware gang exploited the critical React2Shell '
                'vulnerability (CVE-2025-55182) to gain initial access to '
                'corporate networks and deployed the Weaxor ransomware strain '
                'within less than a minute. The attack involved disabling '
                'Windows Defender, deploying Cobalt Strike, and encrypting '
                'files without evidence of lateral movement or data '
                'exfiltration.',
 'impact': {'operational_impact': 'File encryption, system disruption',
            'systems_affected': 'Public-facing servers, vulnerable endpoints'},
 'initial_access_broker': {'backdoors_established': 'Cobalt Strike beacon',
                           'entry_point': 'React2Shell vulnerability '
                                          '(CVE-2025-55182)'},
 'investigation_status': 'Completed (by S-RM)',
 'lessons_learned': 'Patching alone is insufficient; monitoring for unusual '
                    'process creation (e.g., cmd.exe/powershell.exe from '
                    'node.exe) and disabled security solutions is critical. '
                    'React2Shell is actively exploited by multiple threat '
                    'actors.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': ['Patch vulnerable systems',
                                                   'Enhance monitoring for '
                                                   'exploitation indicators',
                                                   'Implement network '
                                                   'segmentation and endpoint '
                                                   'protection'],
                            'root_causes': 'Exploitation of unpatched '
                                           'React2Shell vulnerability '
                                           '(CVE-2025-55182) in React Server '
                                           "Components (RSC) 'Flight' "
                                           'protocol'},
 'ransomware': {'data_encryption': True, 'ransomware_strain': 'Weaxor'},
 'recommendations': ['Review Windows event logs and EDR telemetry for evidence '
                     'of React2Shell exploitation',
                     'Investigate unusual outbound connections, disabled '
                     'security solutions, log clearing, and resource spikes',
                     'Monitor for process spawning of cmd.exe or '
                     'powershell.exe from node.exe',
                     'Apply patches for CVE-2025-55182 and implement '
                     'additional security controls'],
 'references': [{'source': 'S-RM'}],
 'response': {'enhanced_monitoring': 'Review of Windows event logs and EDR '
                                     'telemetry for process creation from '
                                     'Node/React binaries',
              'third_party_assistance': 'S-RM (corporate intelligence and '
                                        'cybersecurity company)'},
 'threat_actor': 'Weaxor ransomware gang (rebrand of '
                 'Mallox/FARGO/TargetCompany)',
 'title': 'Weaxor Ransomware Attack via React2Shell Vulnerability',
 'type': 'Ransomware',
 'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}