top of page
Search

React2Shell: Widespread Exploitation of Max-Score RCE (CVSS 10.0) by Espionage Groups and Miners

  • Dec 13, 2025
  • 2 min read

Key Findings


  • React2Shell (CVE-2025-55182), a critical vulnerability in React Server Components, was disclosed on December 3, 2025, carrying a maximum CVSS score of 10.0 and enabling unauthenticated remote code execution.

  • Shortly after disclosure, the Google Threat Intelligence Group (GTIG) observed widespread exploitation across various threat actor groups, ranging from opportunistic cybercriminals to suspected espionage groups.

  • Several distinct campaigns were identified, including:

  • The Tunnelers (UNC6600) deploying the MINOCAT tunneler

  • The "Legitimate" C2 (UNC6603) utilizing the HISONIC backdoor and legitimate cloud services for command and control

  • The Masqueraders (UNC6595) using ANGRYREBEL.LINUX malware disguised as the OpenSSH daemon

  • The Vim Impostor (UNC6588) distributing the COMPOOD backdoor masquerading as the Vim text editor


Background


The disclosure of CVE-2025-55182, known as React2Shell, has triggered a chaotic response in the cybersecurity landscape. As one of the world's most popular web development frameworks, the widespread adoption of React and Next.js has created a massive attack surface for this critical vulnerability.


Rapid Weaponization by China-Nexus Groups


Within hours of the public disclosure, China-nexus threat actors were observed actively exploiting the vulnerability. AWS detected exploitation attempts from groups like Earth Lamia and Jackpot Panda, targeting organizations across Latin America, the MENA region, and Southeast Asia.


Widespread Exploitation and Misinformation


The chaos was further compounded by a flood of misinformation, with the internet initially awash with fake exploits. One prominent repository had falsely claimed to have a legitimate and functional exploit, only to later update its README to acknowledge the claims were AI-generated and non-functional.


Ongoing Patching Efforts and Related Vulnerabilities


Organizations are urged to patch immediately, not just for the primary RCE flaw, but also for several follow-on vulnerabilities discovered in the aftermath. The rapid weaponization of this vulnerability highlights the need for robust vulnerability management and prompt patching to mitigate the risks posed by such critical flaws.


Sources


  • https://securityonline.info/react2shell-max-score-rce-cvss-10-0-triggers-widespread-exploitation-by-espionage-groups-miners/

  • https://cyble.com/blog/react2shell-cve-2025-55182-rapid-exploitation/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page