{“lastseen”:”2025-12-15T21:23:16″,”description”:”CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request.\\n\\nExploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.\\n\\nThe React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.\\n\\nThis vulnerability presents a significant risk because of the following factors:\\n\\n * Default configurations are vulnerable, requiring no special setup or developer error.\\n * Public proof-of-concept exploits are readily available with near-100% reliability.\\n * Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.\\n * The vulnerability could be exploited using a single malicious HTTP request.\\n\\n\\n\\nIn this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.\\n\\n## Analyzing CVE-2025-55182 exploitation activity\\n\\nReact is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.\\n\\nWe identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.\\n\\nFigure 1: Attack diagram depicting activity leading to action on objectives\\n\\nPost-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified _authorized_keys_ file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, _*.trycloudflare.com_) and used bind mounts to hide malicious processes and artifacts from system monitoring tools.\\n\\nThe malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.\\n\\nCredentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service\u2011account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.\\n\\nFigure 2: Example of reverse shell observed in one of the campaigns\\n\\n## Mitigation and protection guidance\\n\\nMicrosoft recommends customers to act on these mitigation recommendations:\\n\\n**Manual identification guidance**\\n\\nUntil full in-product coverage is available, you can manually assess exposure on servers or containers:\\n\\n 1. Navigate to your project directory and open the _node_modules_ folder.\\n 2. Review installed packages and look for: \\n * react-server-dom-webpack\\n * react-server-dom-parcel\\n * react-server-dom-turbopack\\n * next\\n 3. Validate versions against the known affected range: \\n * React: 19.0.0,19.1.0, 19.1.1, 19.2.0\\n * Next.js: 15.0.0 \u2013 15.0.4, 15.1.0 – 15.1.8, 15.2.0 \u2013 15.2.5, 15.3.0 \u2013 15.3.5, 15.4.0 \u2013 15.4.7, 15.5.0 \u2013 15.5.6, 16.0.0 \u2013 16.0.6, 14.3.0-canary.77 and later canary releases\\n 4. If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.\\n\\n\\n\\n**Mitigation best practices**\\n\\n 1. Patch immediately \\n * React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line): \\n * React: 19.0.1, 19.1.2, 19.2.1\\n * Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\\n * Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.\\n 2. Prioritize exposed services \\n * Patch all affected systems, starting with internet-facing workloads.\\n * Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.\\n 3. Monitor for exploit activity \\n * Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.\\n * Correlate endpoint, container, and cloud signals for higher confidence triage.\\n * Invoke incident response process to address any related suspicious activity stemming from this vulnerability.\\n 4. Add WAF protections where appropriate \\n * Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has published rule guidance and JSON examples in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.\\n\\n\\n\\n**Recommended customer action checklist**\\n\\n * Identify affected React Server Components packages in your applications and images.\\n * Upgrade to patched versions. Refer to the React page for patching guidance.\\n * Prioritize internet-facing services for emergency change windows.\\n * Enable and monitor Defender alerts tied to React Server Components exploitation attempts.\\n * Apply Azure WAF custom rules as a compensating control where feasible.\\n * Use MDVM to validate coverage and confirm risk reduction post-update.\\n\\n\\n\\nCVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.\\n\\n## Microsoft Defender XDR detections \\n\\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\\n\\n**Tactic** | **Observed activity** | **Microsoft Defender coverage** \\n—|—|— \\nInitial Access \/Execution| Suspicious process launched by Node | **Microsoft Defender for Endpoint** \\n- Possible exploitation of React Server Components vulnerability (2 detectors) \\n \\n**Microsoft Defender Antivirus** \\n- HackTool:Linux\/SuspNodeActivity.A \\n- HackTool:Linux\/SuspNodeActivity.B \\n- Behavior:Linux\/SuspNodeActivity.B \\n- Trojan:JS\/CVE-2025-55182.A \\n- Trojan:VBS\/CVE-2025-55182.DA!MTB \\nExecution | Execution of suspicious commands initiated by the _next-server_ parent process to probe for command execution capabilities.| **Microsoft Defender for Cloud** \\n- Potential React2Shell command injection detected on a Kubernetes cluster \\n- Potential React2Shell command injection detected on Azure App Service \\n \\n**Microsoft Defender for Endpoint** \\n- Suspicious process executed by a network service \\n- Suspicious Node.js script execution \\n- Suspicious Node.js process behavior \\n \\nIn many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.\\n\\n**Tactic** | **Observed activity** | **Microsoft Defender coverage** \\n—|—|— \\nExecution| Suspicious downloads, encoded execution, anomalous service\/process creation, and behaviors indicative of a reverse shell and crypto-mining| **Microsoft Defender for Endpoint** \\n- Suspicious PowerShell download or encoded command execution \\n- Possible reverse shell \\n- Suspicious service launched \\n- Suspicious anonymous process created using memfd_create \\n- Possible cryptocurrency miner \\nDefense Evasion| Unauthorized code execution through process manipulation, abnormal DLL loading, and misuse of legitimate system tools| **Microsoft Defender for Endpoint** \\n- A process was injected with potentially malicious code \\n- An executable file loaded an unexpected DLL file \\n- Use of living-off-the-land binary to run malicious code \\nCredential Access | Unauthorized use of Kerberos tickets to impersonate accounts and gain unauthorized access| **Microsoft Defender for Endpoint** \\n- Pass-the-ticket attack \\nCredential Access| Suspicious access to sensitive files such as cloud and GIT credentials| **Microsoft Defender for Cloud** \\n- Possible secret reconnaissance detected \\nLateral movement| Attacker activity observed in multiple environments| **Microsoft Defender for Endpoint** \\n- Hands-on-keyboard attack involving multiple devices \\n \\n### Automatic attack disruption through Microsoft Defender for Endpoint alerts\\n\\nTo better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with automatic attack disruption.\\n\\nWhen these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.\\n\\n### Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud\\n\\nMicrosoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:\\n\\n * Protect your servers with Defender for Servers\\n * Defender for Containers Deployment Overview\\n\\n\\n\\nWe are currently expanding detection for this vulnerability in Microsoft Defender Vulnerability Management (MDVM) on Windows, Linux, and macOS devices. In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versions to reduce risk.\\n\\nOnce detection is fully deployed, MDVM and Microsoft Defender for Cloud dashboards will surface:\\n\\n * Identification of exposed assets in the organization\\n * Clear remediation guidance tied to your affected assets and workloads\\n\\n\\n\\n### Microsoft Security Copilot\\n\\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:\\n\\n * Incident investigation\\n * Microsoft User analysis\\n * Threat actor profile\\n * Threat Intelligence 360 report based on MDTI article\\n * Vulnerability impact assessment\\n\\n\\n\\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.\\n\\n### Threat intelligence reports\\n\\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.\\n\\nMicrosoft Defender XDR threat analytics \\n\\n * Vulnerability Profile: CVE-2025-55182 – React Server Components\\n\\n\\n\\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.\\n\\n## Hunting queries and recommendations\\n\\n### Microsoft Defender XDR\\n\\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\\n\\n**Detect****potential React2Shell command injection attempt**\\n \\n \\n CloudAuditEvents\\n | where (ProcessCommandLine == \\”\/bin\/sh -c (whoami)\\” and (ParentProcessName == \\”node\\” or ParentProcessName has \\”next-server\\”))\\n or (ProcessCommandLine has_any (\\”echo\\”,\\”powershell\\”) and ProcessCommandLine matches regex @'(echo\\\\s+\\\\$\\\\(\\\\(\\\\d+\\\\*\\\\d+\\\\)\\\\)|powershell\\\\s+-c\\\\s+\\”\\\\d+\\\\*\\\\d+\\”)’)\\n | project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName\\n \\n\\n**Identify encoded PowerShell attempts**\\n \\n \\n let lookback = 10d;\\n DeviceProcessEvents\\n | where Timestamp \\u003e= ago(lookback)\\n | where InitiatingProcessParentFileName has \\”node\\”\\n | where InitiatingProcessCommandLine has_any (\\”next start\\”, \\”next-server\\”) or ProcessCommandLine has_any (\\”next start\\”, \\”next-server\\”)\\n | summarize make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp\\n \/\/looking for powershell activity\\n | where set_ProcessCommandLine has_any (\\”cmd.exe\\”,\\”powershell\\”)\\n | extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\\”EncodedCommand \\”,1).[0]),’\\”‘,0).[0]))),\\”\\\\0\\”,\\”\\”)\\n | extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\\”Enc \\”,1).[0]),’\\”‘,0).[0]))),\\”\\\\0\\”,\\”\\”)\\n | extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\\”enc \\”,1).[0]),’\\”‘,0).[0]))),\\”\\\\0\\”,\\”\\”)\\n | extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\\”ec \\”,1).[0]),’\\”‘,0).[0]))),\\”\\\\0\\”,\\”\\”)\\n | where set_ProcessCommandLine !has \\”‘powershell -c \\” \\n | extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1, \\n iff(isnotempty( decoded_powershell_2), decoded_powershell_2,\\n iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))\\n | project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3\\n | where isnotempty( decoded_powershell)\\n \\n\\n**Identify execution of suspicious commands initiated by the _next-server_ parent process post-exploitation**\\n \\n \\n let lookback = 10d;\\n DeviceProcessEvents\\n | where Timestamp \\u003e= ago(lookback)\\n | where InitiatingProcessFileName =~ \\”node.exe\\” and InitiatingProcessCommandLine has \\”.js\\”\\n | where FileName =~ \\”cmd.exe\\”\\n | where (ProcessCommandLine has_any (@\\”\\\\next\\\\\\”, @\\”\\\\npm\\\\npm\\\\node_modules\\\\\\”, \\”\\\\\\\\server.js\\”)\\n and (ProcessCommandLine has_any (\\”powershell -c \\\\\\”\\”, \\”curl\\”, \\”wget\\”, \\”echo $\\”, \\”ipconfig\\”, \\”start msiexec\\”, \\”whoami\\”, \\”systeminfo\\”, \\”$env:USERPROFILE\\”, \\”net user\\”, \\”net group\\”, \\”localgroup administrators\\”, \\”-ssh\\”, \\”set-MpPreference\\”, \\”add-MpPreference\\”, \\”rundll32\\”, \\”certutil\\”, \\”regsvr32\\”, \\”bitsadmin\\”, \\”mshta\\”, \\”msbuild\\”) \\n or (ProcessCommandLine has \\”powershell\\” and\\n (ProcessCommandLine has_any (\\”Invoke-Expression\\”, \\”DownloadString\\”, \\”DownloadFile\\”, \\”FromBase64String\\”, \\”Start-Process\\”, \\”System.IO.Compression\\”, \\”System.IO.MemoryStream\\”, \\”iex \\”, \\”iex(\\”, \\”Invoke-WebRequest\\”, \\”iwr \\”, \\”.UploadFile\\”, \\”System.Net.WebClient\\”)\\n or ProcessCommandLine matches regex @\\”[-\/\u2013][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\\\\s[A-Za-z0-9+\/=]{15,}\\”))))\\n or ProcessCommandLine matches regex @’cmd\\\\.exe\\\\s+\/d\\\\s+\/s\\\\s+\/c\\\\s+\\”powershell\\\\s+-c\\\\s+\\”[0-9]+\\\\*[0-9]+\\”\\”‘\\n \\n\\n**Identify execution of suspicious commands initiated by the _next-server_ parent process post-exploitation**\\n \\n \\n let lookback = 10d;\\n DeviceProcessEvents\\n | where Timestamp \\u003e= ago(lookback)\\n | where InitiatingProcessFileName == \\”node\\”\\n | where InitiatingProcessCommandLine has_any (\\” server.js\\”, \\” start\\”, \\”\/server.js\\”)\\n | where ProcessCommandLine has_any (\\”| sh\\”, \\”openssl,\\”, \\”\/dev\/tcp\/\\”, \\”| bash\\”, \\”|sh\\”, \\”|bash\\”, \\”bash,\\”, \\”{sh,}\\”, \\”SOCK_STREAM\\”, \\”bash -i\\”, \\”whoami\\”, \\”| base64 -d\\”, \\”chmod +x \/tmp\\”, \\”chmod 777\\”)\\n | where ProcessCommandLine !contains \\”vscode\\” and ProcessCommandLine !contains \\”\/.claude\/\\” and ProcessCommandLine !contains \\”\/claude\\”\\n \\n\\nMicrosoft Defender XDR\u2019s **blast radius analysis** capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization’s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.\\n\\n### Microsoft Defender for Cloud\\n\\nMicrosoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled _Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182_ and _Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182_ are added to the gallery.\\n\\nFigure 3. Microsoft Defender for Cloud security explorer templates related to CVE-2025-55182\\n\\n### Microsoft Security Exposure Management\\n\\nMicrosoft Security Exposure Management\u2019s automated attack path analysis maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.\\n\\nTo view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:\\n\\n * Kubernetes container\\n * Virtual Machine\\n * AWS EC2 instance\\n * GCP compute instance.\\n\\n\\n\\nAlternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:\\n\\n * Internet exposed container with high severity vulnerabilities\\n * Internet exposed Azure VM with RCE vulnerabilities\\n * Internet exposed GCP compute instance with RCE vulnerabilities\\n * Internet exposed AWS EC2 instance with RCE vulnerabilities\\n\\n\\n\\n### Microsoft Sentinel\\n\\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. \\n\\n**Detect network IP and domain indicators of compromise using ASIM**\\n \\n \\n \/\/IP list and domain list- _Im_NetworkSession\\n let lookback = 30d;\\n let ioc_ip_addr = dynamic([\\”194.69.203.32\\”, \\”162.215.170.26\\”, \\”216.158.232.43\\”, \\”196.251.100.191\\”, \\”46.36.37.85\\”, \\”92.246.87.48\\”]);\\n let ioc_domains = dynamic([\\”anywherehost.site\\”, \\”xpertclient.net\\”, \\”superminecraft.net.br\\”, \\”overcome-pmc-conferencing-books.trycloudflare.com\\”, \\”donaldjtrmp.anondns.net\\”, \\”labubu.anondns.net\\”, \\”krebsec.anondns.net\\”, \\”hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\\”, \\”ghostbin.axel.org\\”, \\”194.69.203.32:81\\”, \\”194.69.203.32:81\\”, \\”194.69.203.32:81\\”, \\”162.215.170.26:3000\\”, \\”216.158.232.43:12000\\”, \\”overcome-pmc-conferencing-books.trycloudflare.com\\”, \\”donaldjtrmp.anondns.net:1488\\”, \\”labubu.anondns.net:1488\\”, \\”krebsec.anondns.net:2316\/dong\\”, \\”hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\\”, \\”ghostbin.axel.org\\”]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),\\n EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\\n \\n\\n**Detect Web Sessions IP and file hash indicators of compromise using ASIM**\\n \\n \\n \/\/IP list – _Im_WebSession\\n let lookback = 30d;\\n let ioc_ip_addr = dynamic([\\”194.69.203.32\\”, \\”162.215.170.26\\”, \\”216.158.232.43\\”, \\”196.251.100.191\\”, \\”46.36.37.85\\”, \\”92.246.87.48\\”]);\\n let ioc_sha_hashes =dynamic([\\”c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c\\”, \\”9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331\\”, \\”b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f\\”, \\”d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f\\”, \\”d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a\\”, \\”d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d\\”, \\”b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8\\”, \\”4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d\\”, \\”f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b\\”, \\”661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1\\”, \\”876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13\\”, \\”2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457\\”, \\”f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7\\”, \\”7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5\\”]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\\n | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\\n EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\\n \\n\\n**Detect domain and URL indicators of compromise using ASIM**\\n \\n \\n \/\/ Domain list – _Im_WebSession\\n let ioc_domains = dynamic([\\”anywherehost.site\\”, \\”xpertclient.net\\”, \\”superminecraft.net.br\\”, \\”overcome-pmc-conferencing-books.trycloudflare.com\\”, \\”donaldjtrmp.anondns.net\\”, \\”labubu.anondns.net\\”, \\”krebsec.anondns.net\\”, \\”hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\\”, \\”ghostbin.axel.org\\”, \\”194.69.203.32:81\\”, \\”194.69.203.32:81\\”, \\”194.69.203.32:81\\”, \\”162.215.170.26:3000\\”, \\”216.158.232.43:12000\\”, \\”overcome-pmc-conferencing-books.trycloudflare.com\\”, \\”donaldjtrmp.anondns.net:1488\\”, \\”labubu.anondns.net:1488\\”, \\”krebsec.anondns.net:2316\/dong\\”, \\”hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\\”, \\”ghostbin.axel.org\\”]);\\n _Im_WebSession (url_has_any = ioc_domains)\\n \\n\\n**Detect files hashes indicators of compromise using ASIM**\\n \\n \\n \/\/ file hash list – imFileEvent\\n let ioc_sha_hashes = dynamic([\\”c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c\\”, \\”9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331\\”, \\”b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f\\”, \\”d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f\\”, \\”d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a\\”, \\”d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d\\”, \\”b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8\\”, \\”4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d\\”, \\”f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b\\”, \\”661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1\\”, \\”876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13\\”, \\”2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457\\”, \\”f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7\\”, \\”7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5\\”]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or\\n TargetFileSHA256 in (ioc_sha_hashes)\\n | extend AccountName = tostring(split(User, @”)[1]), \\n AccountNTDomain = tostring(split(User, @”)[0])\\n | extend AlgorithmType = \\”SHA256\\”\\n \\n\\n**Find use of reverse shells**\\n\\nThis query looks for potential reverse shell activity initiated by _cmd.exe_ or _PowerShell_. It matches the use of reverse shells in this attack: reverse-shell-nishang.\\n\\n## Indicators of compromise\\n\\nThe list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:\\n\\nIndicator| Type| Description \\n—|—|— \\nc6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad \\nb568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560 \\n69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03 \\n68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df \\n717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2 \\n7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398 \\n7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171| SHA-256| Coin miner payload hashes \\nb33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8 \\nf0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b \\n59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700 \\n82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d \\nf0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf \\n317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e \\n0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a \\n9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083 \\n240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b \\n8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f \\n244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f| SHA-256| Backdoor payload hashes \\nhxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/colonna.arc \\nhxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/colonna.i686 \\nhxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/react.sh \\nhxxp:\/\/162[.]215[.]170[.]26:3000\/sex.sh \\nhxxp:\/\/216[.]158[.]232[.]43:12000\/sex.sh \\nhxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.arm4 \\nhxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.x86 \\nhxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.x86_64 \\nhxxp:\/\/196[.]251[.]100[.]191\/update.sh \\nhxxp:\/\/anywherehost[.]site\/xms\/k1.sh \\nhxxp:\/\/anywherehost[.]site\/xms\/kill2.sh \\nhxxps:\/\/overcome-pmc-conferencing-books[.]trycloudflare[.]com\/p.png \\nhxxp:\/\/donaldjtrmp.anondns.net:1488\/labubu \\nhxxp:\/\/labubu[.]anondns[.]net:1488\/dong \\nhxxp:\/\/krebsec[.]anondns[.]net:2316\/dong \\nhxxps:\/\/hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com\/agent \\nhxxps:\/\/ghostbin[.]axel[.]org\/paste\/evwgo\/raw \\nhxxp:\/\/xpertclient[.]net:3000\/sex.sh \\nhxxp:\/\/superminecraft[.]net[.]br:3000\/sex.sh| URLs| Various payload download URLs \\n194.69.203[.]32 \\n162.215.170[.]26 \\n216.158.232[.]43 \\n196.251.100[.]191 \\n46.36.37[.]85 \\n92.246.87[.]48| IP addresses| C2 \\nanywherehost[.]site \\nxpertclient[.]net \\nvps-zap812595-1[.]zap-srv[.]com \\nsuperminecraft[.]net[.]br \\novercome-pmc-conferencing-books[.]trycloudflare[.]com \\ndonaldjtrmp[.]anondns[.]net \\nlabubu[.]anondns[.]net \\nkrebsec[.]anondns[.]net \\nhybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com \\nghostbin[.]axel[.]org| Domains| C2 \\n \\n## References\\n\\n * Critical Security Vulnerability in React Server Components \u2013 React\\n * NVD – CVE-2025-55182\\n * CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far\\n\\n\\n\\n## Learn more \\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nThe guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.\\n\\nThe post Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components appeared first on Microsoft Security Blog.”,”published”:”2025-12-15T19:35:00″,”modified”:”2025-12-15T19:35:00″,”type”:”mssecure”,”title”:”Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components”,”source”:””,”references”:””,”id”:”MSSECURE:3490E78725A996787146B5ED05CB3C9B”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-55182″,”CVE-2025-66478″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/15\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T21:23:16″,”description”:”CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,110,13,7,11,5],"class_list":["post-31207","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-mssecure","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n