Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks

Two IP addresses accounted for the majority of the 1.4 million exploitation attempts observed over the past week.

React2Shell exploitation activity remains strong, with over 1.4 million attempts observed over the past week, GreyNoise reports.

A critical-severity vulnerability in version 19 of the open source JavaScript library React (React.js), React2Shell is tracked as CVE-2025-55182 (CVSS score of 10).

The issue can be exploited without authentication to achieve remote code execution (RCE) via a single HTTP POST request and the activity surrounding it surged after a Metasploit module was published.

The bug is related to the decoding of payloads sent to React Server Function endpoints. Even applications without React Server Function endpoints may be vulnerable if they support React Server Components (RSC).

Exploitation of the flaw started roughly two days after public disclosure in early December, and both state-sponsored threat actors and cybercrime groups have been observed targeting ...