- React2Shell (CVE‑2025‑55182) exploited to compromise hundreds of systems worldwide
- Groups linked to China and North Korea exploit vulnerability for persistence, espionage and cryptomining
- Patch immediately to React versions 19.0.1, 19.1.2, or 19.2.1.
React2Shell, a critical severity vulnerability in React Server Components (RCS), has already been used to compromise “several hundred machines across a diverse set of organizations.”
This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.
In early December, the React team published a security advisory detailing a pre-authentication bug in several versions of several packages, affecting RCS. The bug, now named “React2Shell,” is tracked as CVE-2025-55182 and receives a severity score of 10/10 (critical).
Arbitrary commands, droppers and cryptominers
Since React is one of the most popular JavaScript libraries, powering much of today’s Internet, researchers warned that its exploitation was imminent, urging everyone to apply the patch without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Today, Microsoft says these warnings have come to fruition, as many malicious actors have abused this flaw to execute arbitrary commands, drop malware, and move laterally within the target infrastructure, mixing with other legitimate traffic.
Redmond also pointed out that the number of attacks increased after React made the results public, as more bad actors stepped in to deploy memory-based downloaders and cryptominers.
Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, had been spotted using the bug to target organizations across different industries.
Targets are located all over the world, from Latin America to the Middle East and Southeast Asia. Financial services, logistics, retail, IT companies, universities and government organizations are all under attack, with the aim of the attacks being to establish persistence and cyberespionage.
Soon after, researchers also observed North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using this flaw to deploy a new persistence mechanism malware called EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “much more sophisticated”, representing a persistent access implant that combines techniques from at least three documented campaigns.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
