React2Shell exploitation activity remains strong, with over 1.4 million attempts observed over the past week, GreyNoise reports.
A critical-severity vulnerability in version 19 of the open source JavaScript library React (React.js), React2Shell is tracked as CVE-2025-55182 (CVSS score of 10).
The issue can be exploited without authentication to achieve remote code execution (RCE) via a single HTTP POST request and the activity surrounding it surged after a Metasploit module was published.
The bug is related to the decoding of payloads sent to React Server Function endpoints. Even applications without React Server Function endpoints may be vulnerable if they support React Server Components (RSC).
Exploitation of the flaw started roughly two days after public disclosure in early December, and both state-sponsored threat actors and cybercrime groups have been observed targeting it.
According to GreyNoise, over 1,000 IP addresses have been involved in React2Shell exploitation over the past week, but two of them were responsible for most of the observed activity.
The threat intelligence firm observed 488,342 attack sessions, representing 34% of the exploitation activity, originating from 193.142.147[.]209 and leading to the deployment of a reverse shell.
These attacks, GreyNoise says, were likely aimed at setting up interactive access to the vulnerable instances rather than automated data theft.
The second IP address that stood out, 87.121.84[.]24, was responsible for 311,484 attack sessions, representing 22% of the malicious activity.
Upon successful exploitation of React2Shell, these attacks resulted in the deployment of an XMRig cryptocurrency miner from one of two staging servers.
GreyNoise’s analysis revealed that one of these staging servers has been involved in malicious activities since at least 2020. Adjacent IP addresses are currently serving Mirai and Gafgyt payloads, the threat intelligence firm says.
Related: Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks
Related: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability
Related: Phishers Abuse SharePoint in New Campaign Targeting Energy Sector
Related: APT-Grade PDFSider Malware Used by Ransomware Groups
