{“lastseen”:”2025-12-11T08:05:12″,”description”:”\\n\\nOn December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.\\n\\nAlmost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.\\n\\n## A brief technical analysis of the vulnerability\\n\\nReact applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.\\n\\nThe vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:\\n\\n\\n\\nA comparison of the vulnerable (left) and patched (right) functions\\n\\n## CVE-2025-55182 on Kaspersky honeypots\\n\\nAs the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.\\n\\n_The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)_\\n\\nAttackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.\\n\\n\\n\\nIn most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.\\n\\nCVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai\/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:\\n\\n\\n\\nBeyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.\\n\\n\\n\\nOnly after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.\\n\\nIn some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.\\n\\n\\n\\n## Risk mitigation measures\\n\\nWe strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles. \\nVulnerable versions of React Server Components:\\n\\n * react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)\\n * react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)\\n * react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)\\n\\n\\n\\nBundles and modules confirmed as using React Server Components:\\n\\n * next\\n * react-router\\n * waku\\n * @parcel\/rsc\\n * @vitejs\/plugin-rsc\\n * rwsdk\\n\\n\\n\\nTo prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:\\n\\n * #constructor\\n * #__proto__\\n * #prototype\\n * vm#runInThisContext\\n * vm#runInNewContext\\n * child_process#execSync\\n * child_process#execFileSync\\n * child_process#spawnSync\\n * module#_load\\n * module#createRequire\\n * fs#readFileSync\\n * fs#writeFileSync\\n * s#appendFileSync\\n\\n\\n\\n## Conclusion\\n\\nDue to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.\\n\\nWe recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.\\n\\n## Indicators of compromise\\n\\n**Malware URLs** \\nhxxp:\/\/172.237.55.180\/b \\nhxxp:\/\/172.237.55.180\/c \\nhxxp:\/\/176.117.107.154\/bot \\nhxxp:\/\/193.34.213.150\/nuts\/bolts \\nhxxp:\/\/193.34.213.150\/nuts\/x86 \\nhxxp:\/\/23.132.164.54\/bot \\nhxxp:\/\/31.56.27.76\/n2\/x86 \\nhxxp:\/\/31.56.27.97\/scripts\/4thepool_miner[.]sh \\nhxxp:\/\/41.231.37.153\/rondo[.]aqu[.]sh \\nhxxp:\/\/41.231.37.153\/rondo[.]arc700 \\nhxxp:\/\/41.231.37.153\/rondo[.]armeb \\nhxxp:\/\/41.231.37.153\/rondo[.]armebhf \\nhxxp:\/\/41.231.37.153\/rondo[.]armv4l \\nhxxp:\/\/41.231.37.153\/rondo[.]armv5l \\nhxxp:\/\/41.231.37.153\/rondo[.]armv6l \\nhxxp:\/\/41.231.37.153\/rondo[.]armv7l \\nhxxp:\/\/41.231.37.153\/rondo[.]i486 \\nhxxp:\/\/41.231.37.153\/rondo[.]i586 \\nhxxp:\/\/41.231.37.153\/rondo[.]i686 \\nhxxp:\/\/41.231.37.153\/rondo[.]m68k \\nhxxp:\/\/41.231.37.153\/rondo[.]mips \\nhxxp:\/\/41.231.37.153\/rondo[.]mipsel \\nhxxp:\/\/41.231.37.153\/rondo[.]powerpc \\nhxxp:\/\/41.231.37.153\/rondo[.]powerpc-440fp \\nhxxp:\/\/41.231.37.153\/rondo[.]sh4 \\nhxxp:\/\/41.231.37.153\/rondo[.]sparc \\nhxxp:\/\/41.231.37.153\/rondo[.]x86_64 \\nhxxp:\/\/51.81.104.115\/nuts\/bolts \\nhxxp:\/\/51.81.104.115\/nuts\/x86 \\nhxxp:\/\/51.91.77.94:13339\/termite\/51.91.77.94:13337 \\nhxxp:\/\/59.7.217.245:7070\/app2 \\nhxxp:\/\/59.7.217.245:7070\/c[.]sh \\nhxxp:\/\/68.142.129.4:8277\/download\/c[.]sh \\nhxxp:\/\/89.144.31.18\/nuts\/bolts \\nhxxp:\/\/89.144.31.18\/nuts\/x86 \\nhxxp:\/\/gfxnick.emerald.usbx[.]me\/bot \\nhxxp:\/\/meomeoli.mooo[.]com:8820\/CLoadPXP\/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL \\nhxxps:\/\/api.hellknight[.]xyz\/js \\nhxxps:\/\/gist.githubusercontent[.]com\/demonic-agents\/39e943f4de855e2aef12f34324cbf150\/raw\/e767e1cef1c35738689ba4df9c6f7f29a6afba1a\/setup_c3pool_miner[.]sh\\n\\n**MD5 hashes** \\n0450fe19cfb91660e9874c0ce7a121e0 \\n3ba4d5e0cf0557f03ee5a97a2de56511 \\n622f904bb82c8118da2966a957526a2b \\n791f123b3aaff1b92873bd4b7a969387 \\nc6381ebf8f0349b8d47c5e623bbcef6b \\ne82057e481a2d07b177d9d94463a7441″,”published”:”2025-12-11T07:30:41″,”modified”:”2025-12-11T07:30:41″,”type”:”securelist”,”title”:”It didn\u2019t take long: CVE-2025-55182 is now under active exploitation”,”source”:””,”references”:””,”id”:”SECURELIST:97FECE316FC7E8D2DA2CD4A5C40DF5A6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-55182″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/cve-2025-55182-exploitation\/118331\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-11T08:05:12″,”description”:”\\n\\nOn December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,136,7,11,5],"class_list":["post-30335","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n