"Microsoft says attackers have already compromised "several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in some cases, deliver ransomware. In a blog post this week, Redmond said attackers are actively exploiting CVE-2025-55182, better known as "React2Shell", a critical flaw in React Server Components that can be abused to run arbitrary code on vulnerable servers."
"React2Shell first burst into the open earlier this month, when researchers warned the React Server Components bug could be exploited to execute attacker-controlled code. The bug was quickly chained to other weaknesses and misconfigurations, with early campaigns linked to China- and Iran-nexus threat activity that probed exposed servers at scale. A separate wave of disclosures days later revealed additional "SecretLeak" bugs in React tooling, further rattling developers who had only just begun to understand the blast radius of React2Shell."
"Microsoft's latest findings suggest exploitation attempts ramped up rapidly after public disclosure, with attackers using successful exploits to push malware - including memory-based downloaders and cryptominers - onto exposed JavaScript application backends. Other threat intelligence teams are seeing the same thing on the ground. Security firm S-RM said it has already responded to a real-world intrusion in which React2Shell was used as the initial access vector to breach a corporate network and deploy ransomware."
Attackers have exploited React2Shell (CVE-2025-55182) to compromise several hundred servers across diverse organizations, enabling arbitrary code execution on vulnerable React Server Components backends. Exploitation moved beyond proof-of-concept with confirmed compromises across multiple sectors and regions. Adversaries run commands, drop malware, and pivot deeper while blending malicious activity into legitimate application traffic. Early campaigns chained the bug to other weaknesses and misconfigurations, with activity linked to China- and Iran-nexus groups that probed exposed servers at scale. Attackers pushed memory-based downloaders, cryptominers, and other payloads onto JavaScript backends, and responders have observed intrusions where React2Shell served as initial access for ransomware.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]