Cybersecurity experts are warning of a rapid rise in attacks targeting the newly disclosed React2Shell vulnerability (CVE-2025-55182), with more than 50 organizations already confirmed as victims worldwide. Researchers caution that half of the exposed systems remain unpatched, raising the risk of widespread compromise.
The flaw, affecting React Server Components and multiple dependent frameworks such as Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, and RedwoodJS, allows attackers to execute arbitrary code and deploy malware with minimal effort.
In response to the growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) has accelerated the patching deadline for federal agencies to Friday, down from the original December 26 date.
According to Unit 42 at Palo Alto Networks, victims have been identified across the United States, Asia, South America, and the Middle East. Attackers include nation-state groups, cybercriminals, botnets, and cryptocurrency-focused threat actors, all exploiting the flaw for financial gain, espionage, or disruption.
Shadowserver scans reveal over 165,000 IPs and 644,000 domains with vulnerable code, with nearly two-thirds located in the United States. Security experts describe the exploit as highly weaponizable, noting that attackers are targeting organizations holding sensitive or business-critical data.
Kelly Shortridge, Chief Product Officer at Fastly, told CyberScoop, “This is a one click — game over — kind of vulnerability. Attackers can blend into normal traffic and operate undetected, making it extremely difficult for organizations to respond in time.”
Wiz Research has identified over 15 distinct intrusion clusters, while Rapid7 emphasizes that the vulnerability represents a “patch-now situation”, with attacks ranging from opportunistic botnet campaigns to sophisticated nation-state operations. Malware linked to the attacks includes Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai, and Supershell.
Activity observed by Unit 42 overlaps with previous campaigns by the North Korea-linked Contagious Interview group, which targeted tech industry job seekers, while Amazon reports exploitation attempts by China-backed groups Earth Lamia and Jackpot Panda within hours of the vulnerability’s disclosure.
The React2Shell defect has drawn comparisons to Log4Shell, the Apache Log4j vulnerability from 2021, but experts warn that React2Shell may be easier to exploit and harder to detect. Kelly Shortridge added, “Organizations that thought they were safe are discovering they are vulnerable, often only after compromise has occurred.”
Security professionals strongly urge organizations using React Server Components or dependent frameworks to apply patches immediately, monitor network traffic for anomalies, and review guidance from cybersecurity authorities and vendors.
