- React2Shell (CVE-2025-55182) was used to compromise hundreds of systems around the world.
- China-linked groups and North Korea are abusing the gap in assertiveness, espionage and cryptocurrency mining
- Update React to versions 19.0.1, 19.1.2, or 19.2.1 immediately.
React2Shell, a critical severity vulnerability in React Server Components (RCS), has already been used to compromise “several hundred computers across multiple organizations.”
This is according to Microsoftwhose latest blog post discusses the vulnerability and how to protect against incoming attacks.
In early December, the React team published a security advisory detailing a pre-authentication bug in multiple versions of several packages affecting RCS. The bug, now dubbed “React2Shell”, is tracked as CVE-2025-55182 and has a severity of 10/10 (Critical).
Arbitrary commands, droppers and cryptominers
Given that React is one of the most popular JavaScript libraries powering much of the modern web, the researchers warned that exploitation is imminent and urged everyone to immediately apply the patch and update their systems to versions 19.0.1, 19.1.2 and 19.2.1.
Microsoft now says those warnings have come true, as many attackers have taken advantage of this vulnerability to run arbitrary commands, reset malwareand move throughout the target infrastructure, successfully mixing with other legitimate traffic.
Redmond also highlighted that the number of attacks increased after React publicly released the results, as more attackers began deploying memory-based loaders and crypto miners.
Two weeks ago Amazon Web Services (AWS) reported that two Groups associated with ChinaEarth Lamia and Jackpot Panda have been seen using this bug to attack organizations in various verticals.
Targets are located throughout the world, from Latin America to the Middle East and Southeast Asia. Financial services firms, logistics, retail, IT companies, universities and government organizations are being attacked. The purpose of the attacks is to establish resilience and cyber espionage.
Soon after, researchers also noticed that state-sponsored North Korean attackers were doing the same thing. The only difference is that the North Koreans are using this vulnerability to deploy new malware with a data storage mechanism, called EtherRAT. Compared to what Earth Lamia and Jackpot Panda did, EtherRAT is “much more sophisticated,” being a permanent access implant that combines methods from at least three documented campaigns.
By using Register
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
