Key Findings

• React2Shell vulnerability (CVE-2025-55182) in React version 19 and React Server Components (RSC) is being heavily exploited by threat actors

• Exploitation attempts have been observed targeting a wide range of sectors, particularly construction and entertainment industries

• Attackers are leveraging the vulnerability to deliver cryptocurrency miners and a variety of previously undocumented malware, including:

• PeerBlight Linux backdoor

• CowTunnel reverse proxy tunnel

• ZinFoq Go-based post-exploitation implant

Background

React is a popular open-source library for building user interfaces, used by millions of websites and online services. The React2Shell vulnerability specifically impacts React version 19 and instances that leverage the recently introduced React Server Components (RSC) feature.

Security researchers discovered the critical remote code execution vulnerability, tracked as CVE-2025-55182, in early December 2025. Patches were quickly released by Meta, the maintainer of React, but exploitation efforts began almost immediately.

Exploitation Trends

• Threat actors have been aggressively scanning for and targeting vulnerable React instances, with over 77,000 IPs identified as hosting vulnerable setups

• Cloud security firm Wiz reported that 39% of the cloud environments it monitors include vulnerable React or Next.js versions

• Exploitation attempts have been observed across multiple sectors, but construction and entertainment industries have been prominently targeted

Malware Payloads

Threat actors are leveraging the React2Shell vulnerability to deliver a variety of malware, including:

• PeerBlight Linux backdoor

• Communicates with a hard-coded C2 server and uses a domain generation algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as fallback mechanisms

• Capable of uploading/downloading/deleting files, spawning a reverse shell, modifying file permissions, running arbitrary binaries, and self-updating

• CowTunnel reverse proxy tunnel

• Initiates outbound connections to attacker-controlled Fast Reverse Proxy (FRP) servers, bypassing firewalls

• ZinFoq Go-based post-exploitation implant

• Supports a range of capabilities, including running commands, enumerating directories, downloading additional payloads, establishing reverse shells, and timestomping

The attackers have also been observed deploying cryptocurrency miners and other previously undocumented malware families on the compromised systems.

Attacker Tactics

• Researchers assess that the threat actors are likely leveraging automated exploitation tooling, based on the consistent patterns observed across multiple endpoints

• Attempts to deploy Linux-specific payloads on Windows endpoints suggest the automation does not differentiate between target operating systems

• Attackers have been observed using publicly available tools to identify vulnerable Next.js instances before launching exploits

Sources

• https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html

• https://www.securityweek.com/exploitation-of-react2shell-surges/amp/