Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling.
That’s the assessment from Alon Schindel, VP of AI and Threat Research at Wiz, who says CVE-2025-55182 – the React server-side vulnerability dubbed “React2Shell” – is now being actively exploited at scale, with researchers tracking at least 15 distinct intrusion clusters in the wild over the past 24 hours alone.
According to Wiz’s latest telemetry, roughly 50 percent of publicly exposed resources known to be vulnerable are still running unpatched code, giving attackers a comfortable head start.
The critical-severity flaw, first disclosed earlier this month, affects React Server Components and dependent frameworks such as Next.js and stems from unsafe deserialization in React’s server-side packages, allowing an unauthenticated attacker to send a crafted request to achieve remote code execution. As The Register previously reported, the bug quickly proved attractive to attackers because of React’s ubiquity in modern web stacks, particularly in cloud-hosted environments where a single exposed endpoint can provide a foothold into far larger estates.
What began as opportunistic scanning and cryptomining has now broadened into something messier. Wiz says it is seeing a clear split between “commodity” exploitation – dominated by familiar cryptomining operations using tools like Kinsing, C3Pool, and custom loaders – and more deliberate intrusion sets deploying post-exploitation frameworks and bespoke malware.
Among the clusters observed are Python-based campaigns masquerading as miner droppers while quietly exfiltrating secrets, Sliver command-and-control infrastructure used for hands-on-keyboard operations, and a JavaScript file injector that systematically infects every server-side *.js file it can reach. Wiz also reports the re-emergence of EtherRat backdoor variants, a family of malware that had previously fallen out of favor but appears to have been dusted off for this wave of exploitation.
The technical sophistication is also creeping upward. Multiple miscreants are actively attempting to frustrate incident response by manipulating timestamps, minimizing logs, and otherwise scrubbing evidence of compromise. Those anti-forensics techniques, Wiz warned, suggest operators who expect to be hunted and intend to linger.
[…]
Source: Half of exposed React servers remain unpatched amid attacks • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft