- React2Shell (CVE‑2025‑55182) exploited to compromise hundreds of systems worldwide
- China‑linked groups and North Korea abuse flaw for persistence, espionage, and cryptomining
- Patch immediately to React versions 19.0.1, 19.1.2, or 19.2.1.
React2Shell, a critical severity vulnerability in React Server Components (RCS), was already used to compromise “several hundred machines across a diverse set of organizations”.
This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.
In early December, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting RCS. The bug, now dubbed “React2Shell”, is tracked as CVE-2025-55182, and is given a severity score of 10/10 (critical).
Arbitrary commands, droppers, and cryptominers
Given that React is one of the most popular JavaScript libraries out there, powering much of today’s internet, researchers warned that exploitation was imminent, urging everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.
Now, Microsoft says these warnings have come true, as numerous threat actors have abused the flaw to run arbitrary commands, drop malware, and move laterally throughout the target infrastructure, successfully blending with other legitimate traffic.
Redmond also stressed that the number of attacks increased after React publicly disclosed the findings, as more threat actors moved in to deploy memory-based downloaders and cryptominers.
Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, have been seen using the bug to target organizations in different verticals.
Targets are located all over the world, from Latin America to the Middle East and Southeast Asia. Financial services firms, logistics, retail, IT companies, universities, and government organizations are all being attacked - with the goal of the attacks being establishing persistence and cyber-espionage.
Soon afterwards, researchers also observed North Korean state-sponsored threat actors doing the same. The only difference is that the North Koreans are using the flaw to deploy a novel persistence mechanism malware dubbed EtherRAT. Compared to what Earth Lamia and Jackpot Panda were doing, EtherRAT is “far more sophisticated”, representing a persistent access implant that combines the techniques from at least three documented campaigns.
Via The Register
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.