top of page
ALL POSTS
React2Shell under attack: RondoDox Botnet spreads through critical flaw
Key Findings The RondoDox botnet has been conducting a persistent nine-month campaign targeting IoT devices and web applications. The botnet has been exploiting the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability in Next.js and React Server Components (RSC) to achieve remote code execution on susceptible devices. There are about 90,300 instances that remain vulnerable to React2Shell globally, with the majority (68,400) located in the U.S. The R
Jan 22 min read
React2Shell Vulnerability Exploited by RondoDox Botnet for Malware and Cryptojacking Attacks
Key Findings The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavli
Jan 12 min read
React2Shell: Widespread Exploitation of Max-Score RCE (CVSS 10.0) by Espionage Groups and Miners
Key Findings React2Shell (CVE-2025-55182), a critical vulnerability in React Server Components, was disclosed on December 3, 2025, carrying a maximum CVSS score of 10.0 and enabling unauthenticated remote code execution. Shortly after disclosure, the Google Threat Intelligence Group (GTIG) observed widespread exploitation across various threat actor groups, ranging from opportunistic cybercriminals to suspected espionage groups. Several distinct campaigns were identified, inc
Dec 13, 20252 min read
Exploitation of React2Shell Continues to Deliver Crypto Miners and New Malware Across Multiple Sectors
Key Findings React2Shell vulnerability (CVE-2025-55182) in React version 19 and React Server Components (RSC) is being heavily exploited by threat actors Exploitation attempts have been observed targeting a wide range of sectors, particularly construction and entertainment industries Attackers are leveraging the vulnerability to deliver cryptocurrency miners and a variety of previously undocumented malware, including: PeerBlight Linux backdoor CowTunnel reverse proxy tunnel Z
Dec 11, 20252 min read
North Korea-linked Actors Deploy New EtherRAT Malware via React2Shell Exploit
Key Findings North Korea-linked threat actors are exploiting the critical React2Shell vulnerability (CVE-2025-55182) to deploy a previously unknown remote access trojan (RAT) dubbed EtherRAT EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org The activity exhibits significant overlap with a long-running campaign codenamed "Contagious In
Dec 10, 20252 min read
bottom of page