Security boffins warn flaw is now being used for ransomware attacks against live networks

Microsoft says attackers have already compromised "several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in some cases, deliver ransomware.

In a blog post this week, Redmond said attackers are actively exploiting CVE-2025-55182, better known as React2Shell, a critical flaw in React Server Components that can be abused to run arbitrary code on vulnerable servers.

According to Microsoft's threat intelligence team, exploitation has already spread well beyond the proof-of-concept stage, with hundreds of compromised systems confirmed across multiple sectors and regions.

The company said attackers are abusing the flaw to run arbitrary commands, drop malware, and pivot deeper into victim environments, often blending the activity into legitimate-looking application traffic.

React2Shell first burst into the open earlier this month, when researchers warned the React Server Components bug could be exploited to execute attacker-controlled code. The bug was ...