{“lastseen”:”2025-12-12T08:49:04″,”description”:”\\n\\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent **React2Shell** vulnerability by December 12, 2025, amid reports of widespread exploitation.\\n\\nThe critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.\\n\\n\\”A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved,\\” Cloudforce One, Cloudflare’s threat intelligence team, said. \\”Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.\\”\\n\\nSince its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families.\\n\\n\\n\\nThe development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident.\\n\\nCloud security company Wiz said it has observed a \\”rapid wave of opportunistic exploitation\\” of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.\\n\\n \\n— \\nImage Source: Cloudflare \\n \\nCloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches.\\n\\n\\”Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand \u2013 regions frequently associated with geopolitical intelligence collection priorities,\\” the web infrastructure company said.\\n\\nThe observed activity is also said to have targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical\u2011infrastructure operators. This included a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel.\\n\\n\\n\\nSome of the other notable findings are listed below -\\n\\n * Prioritizing high\u2011sensitivity technology targets such as enterprise password managers and secure\u2011vault services, likely with the goal of perpetrating supply chain attacks\\n * Targeting edge\u2011facing SSL VPN appliances whose administrative interfaces may incorporate React-based components\\n * Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters\\n\\n\\n\\nIn its own analysis of honeypot data, Kaspersky said it recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai\/Gafgyt variants and RondoDox.\\n\\nSecurity researcher Rakesh Krishnan has also discovered an open directory hosted on \\”154.61.77[.]105:8082\\” that includes a proof-of-concept (PoC) exploit script for CVE-2025\u201355182 along with two other files -\\n\\n * \\”domains.txt,\\” which contains a list of 35,423 domains\\n * \\”next_target.txt,\\” which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon\\n\\n\\n\\n\\n\\nIt has been assessed that the unidentified threat actor is actively scanning the internet based on targets added to the second file, infecting hundreds of pages in the process.\\n\\nAccording to the latest data from The Shadowserver Foundation, there are more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025. Of these, over 88,900 instances are located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-12-12T08:41:00″,”modified”:”2025-12-12T08:41:38″,”type”:”thn”,”title”:”React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation”,”source”:””,”references”:””,”id”:”THN:8F8810B4A79A2F406B1EFC5A882B7701″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2025-55182″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/12\/react2shell-exploitation-escalates-into.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-12T08:49:04″,”description”:”\\n\\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent **React2Shell** vulnerability by December 12, 2025, amid reports of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,43,5],"class_list":["post-30762","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n