React2Shell Exploits Target Insurance, E-Commerce, and IT Sectors in Rapid Cyberattacks Threat actors are actively exploiting CVE-2025-55182 (React2Shell), a critical vulnerability in React Server Components, to compromise organizations in the insurance, e-commerce, and IT sectors. The flaw stems from insecure deserialization in the Flight protocol, enabling attackers to execute unauthorized code on vulnerable servers. Exploitation campaigns have moved swiftly, with adversaries weaponizing the vulnerability within hours of disclosure. While many critical flaws never see real-world use, React2Shell has become a prime target, delivering XMRig cryptocurrency miners, botnets, and remote access tools. ### Attack Scope and Malware Payloads - Russian entities faced attacks deploying RustoBot and Kaiji botnets, which conduct DDoS attacks and establish persistence via systemd services, crontab tasks, and modified system utilities. - Global campaigns distributed a broader range of malware, including: - CrossC2 implants (Cobalt Strike payloads with AES-128-CBC encryption) - Tactical RMM (remote management tool abuse) - VShell backdoors - EtherRAT (JavaScript-based malware retrieving C2 addresses from Ethereum smart contracts) ### Affected Systems and Patches React2Shell impacts multiple React Server Component packages, including: - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, 19.2.0) Patches are available in versions 19.0.1, 19.1.2, and 19.2.1, but security experts warn that patching alone is insufficient. Organizations must also scan for post-exploitation activity, as attackers often deploy multiple malicious tools in a single breach. ### Infection Mechanism 1. Initial Access: Attackers exploit React2Shell to execute commands in compromised containers. 2. Malware Deployment: Bash scripts (e.g., wocaosinm.sh, setup2.sh) download architecture-specific payloads, including: - Kaiji botnet (DDoS attacks, persistence via systemd/crontab) - XMRig miner (version 6.24.0, with CPU throttling to evade detection) 3. Data Exfiltration: Attackers use DNS tunneling (nslookup) to encode and transmit stolen data via subdomain queries. 4. Persistence Techniques: - CrossC2 payloads disguise themselves as "Rsyslo AV Agent Service" via systemd. - EtherRAT employs five persistence methods, including XDG Autostart, .bashrc, and .profile modifications. ### Mitigation Recommendations Beyond patching, organizations should: - Verify Next.js versions and dependencies - Rebuild projects after updates - Check lock files to ensure vulnerable packages are removed - Restrict experimental React Server Components in production unless fully patched The attacks highlight the speed and sophistication of modern cyber threats, with adversaries rapidly adapting to newly disclosed vulnerabilities.