- React2Shell (CVE-2025-55182) exploited to compromise hundreds of systems worldwide
- China-affiliated groups and North Korea are exploiting bugs for persistence, espionage, and cryptomining
- Patch immediately to React version 19.0.1, 19.1.2 or 19.2.1.
React2Shell, a critical severity vulnerability in React Server Components (RCS), was already used to compromise “several hundred machines across a variety of organizations”.
This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.
In early December, the React team published a security advisory detailing a preauthorization bug in multiple versions of multiple packages that affects RCS. The bug, now dubbed “React2Shell”, is tracked as CVE-2025-55182 and given a severity score of 10/10 (Critical).
Arbitrary commands, droppers and cryptominers
Given that React is one of the most popular JavaScript libraries out there, powering much of today’s Internet, researchers warned that exploitation was imminent and urged everyone to apply the patch without delay and update their systems to version 19.0.1, 19.1.2 and 19.2.1.
Now, Microsoft says those warnings have come true, as numerous threat actors have exploited the flaw to run arbitrary commands, drop malware and move laterally through target infrastructure, successfully intermingling with other legitimate traffic.
Redmond also emphasized that the number of attacks increased after React publicly disclosed the findings, as more threat actors moved to implement memory-based downloaders and cryptominers.
Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, have been seen using the flaw to target organizations in different verticals.
Targets are located all over the world, from Latin America to the Middle East and Southeast Asia. Financial services companies, logistics, retail, IT companies, universities and government organizations are all being attacked – with the aim of the attacks being to establish persistence and cyber espionage.
Soon after, researchers also observed North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to implement a new persistence mechanism, malware called EtherRAT. Compared to what Earth Lamia and Jackpot Panda did, EtherRAT is “far more sophisticated,” representing a persistent access implant that combines the techniques of at least three documented campaigns.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
