Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday.
Multiple security firms are actively responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday.
Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.
A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout.
Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.
As of late Friday, Unit 42 has confirmed more than 30 organizations across various sectors are impacted.
“Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015, also known as UNC5174, a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” said Justin Moore, senior manager of threat intel research at Unit 42.
“In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015,” he added.
More broadly, Moore said Unit 42 has “observed scanning for vulnerable remote-code execution, reconnaissance activity, attempted theft of Amazon Web Services configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure.”
Ben Harris, CEO and founder of watchTowr, said his team has observed indiscriminate exploitation, describing the malicious activity as rapid and prolific.
“Post-exploitation we’ve seen everything from basic extraction of credentials through to webshell deployments as a stepping stone to further activities,” Harris said.
Multiple Wiz customer environments have been impacted by successful exploitation as well, according to Amitai Cohen, the company’s threat vector intel lead.
“So far, we’ve observed deployments of cryptojacking malware and attempts to extract cloud credentials from compromised machines,” he said. “These early-stage activities are consistent with common post-exploitation objectives like resource hijacking and establishing further access.”
Researchers from multiple firms said attempted and successful exploitation has increased following the release of public PoCs. The potential scope of impact is significant, as 39% of cloud environments contain instances of React or Next.js, a separate open-source library that depends on React Server Components, running versions vulnerable to CVE-2025-55182, according to Wiz Research.
“The Next.js framework itself is present in 69% of environments, and 44% of all cloud environments have publicly exposed Next.js instances — regardless of the version running,” Cohen said.
Further complicating matters, Vercel, the company behind Next.js, disclosed and issued a patch Wednesday for its own maximum-severity vulnerability — CVE-2025-66478 — but the CVE was rejected because it’s a duplicate of the React defect, the root cause.
Multiple threat groups are mobilizing resources to exploit the vulnerability for various objectives.
“There are remote-code execution PoCs around now. It’s definitely already started, which means ransomware gangs follow. They don’t ignore opportunities for money,” Harris said.
Within hours of the public disclosure of the vulnerability, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda,” CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Thursday.
Unit 42 said it, too, is tracking attempted exploitation from several possible China-linked threat actors and cybercriminals.
Automated, opportunistic exploitation attempts based on a publicly released PoC have been widespread, said Noah Stone, head of content at GreyNoise Intelligence. The firm’s sensors have captured malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan and Singapore targeting services based in the United States, Pakistan, India, Singapore and the United Kingdom, he said.
VulnCheck’s decoy systems, which act as an early warning sign of vulnerability exploitation, have also observed exploitative scanning, said Caitlin Condon, the company’s vice president of research. “VulnCheck has been looking at patch rates on exposed Next.js apps, and we didn’t see a lot of patched systems,” she added.
Patching and mitigating the vulnerability isn’t without risk, either. Cloudflare said it experienced a temporary outage that was triggered by changes it made to its body parsing logic to detect and mitigate the vulnerability Friday.
As security researchers debate the viability of PoCs for the React vulnerability and visibility into actual attacks differs across the community, there’s no doubt the defect, which affects one of the most extensively used application frameworks, has captured sweeping interest and attention.
“This whole story is wild,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This has been a real rollercoaster.”
