Google Warns Hackers Exploiting React2Shell Vulnerability To Spread Malware

1

The React2Shell vulnerability is being actively exploited to seize control of internet-facing servers running React Server Components and some Next.js deployments, according to Google’s Threat Intelligence Group (GTIG).

The CVE-2025-55182 exploit enables unauthenticated remote code execution with a maximum CVSS v3 score of 10.0.

Since disclosure on December 3, 2025, state-aligned and criminal actors have rapidly moved to weaponize unpatched systems, dropping backdoors, tunneling utilities, and cryptominers. Public proof-of-concept code has accelerated scanning and mass exploitation.

GTIG urges immediate patching, verification of secure React Server Components or Next.js versions, and proactive threat hunting using provided indicators of compromise.

Category: Security — Application Security

React2Shell vulnerability: What You Need to Know

• Critical RCE in React Server Components (CVE-2025-55182) is under broad exploitation; patch now and validate versions to reduce risk.

What is the React2Shell vulnerability?

The React2Shell vulnerability, tracked as CVE-2025-55182, is a critical React Server Components vulnerability that allows unauthenticated remote code execution on affected React and Next.js servers.

With a CVSS 10.0 rating, the exposure enables full system compromise when internet-facing services remain unpatched.

GTIG reports that reliable exploit chains are widely available. Early nonfunctional tools have given way to working methods, including memory-resident web shells that complicate detection and removal.

The breadth of adoption for React and Next.js amplifies the potential blast radius of the CVE-2025-55182 exploit.

How attackers are abusing the React2Shell vulnerability

GTIG observed multiple campaigns exploiting the React2Shell vulnerability. China-linked espionage actors are focusing on persistence and covert access:

• UNC6600 uses the MINOCAT tunneler to maintain stealthy network reach.
• UNC6603 deploys an updated HISONIC backdoor that blends with legitimate traffic through services such as Cloudflare.

Financially motivated groups are monetizing compromised compute. One campaign installed XMRig via a script named sex.sh to mine cryptocurrency.

Additional malware associated with the React2Shell vulnerability includes the SNOWLIGHT downloader and the COMPOOD backdoor, used for staging payloads and exfiltrating data.

Affected technologies and exposure

The issue stems from a React Server Components vulnerability, affecting specific versions of React and Next.js that implement server-side components.

Organizations running public-facing web applications are at elevated risk if patches are not applied.

The availability of exploit code has lowered the barrier to entry, fueling broad scanning and opportunistic attacks against unpatched services.

Exploits and tradecraft observed

The CVE-2025-55182 exploit ecosystem matured rapidly after December 3, 2025. Adversaries now employ stable techniques for code execution and in-memory web shells, followed by swift post-exploitation actions.

This mirrors patterns seen in other high-urgency flaws, including the exploited Ivanti VPN vulnerability and the code execution flaw in Nuclei scanner, where public PoCs drove rapid adoption by both nation-state and criminal actors.

The React2Shell vulnerability has been folded into espionage-oriented campaigns and quick-hit cryptomining operations alike, demonstrating how a single high-impact flaw enables varied objectives across the threat landscape.

Indicators of compromise (IoCs) you can act on

GTIG released indicators tied to ongoing React2Shell vulnerability exploitation. Security teams should integrate these IOCs into detection pipelines and blocklists while patching and validating deployments.

Network and file indicators

• Domain: reactcdn.windowserrorapis[.]com (SNOWLIGHT C2 and staging)
• IPs: 82.163.22[.]139 (SNOWLIGHT C2), 216.158.232[.]43 (staging for sex.sh), 45.76.155[.]14 (COMPOOD C2/payload staging)
• SHA256: df3f20a9…b540 (HISONIC), 92064e21…edf3 (HISONIC), 0bc65a55…f696 (ANGRYREBEL.LINUX), 13675cca…7274 (XMRig downloader sex.sh), 7f05bad0…737a (SNOWLIGHT linux_amd64), 776850a1…4273 (MINOCAT)

Immediate actions and mitigations

Apply vendor patches immediately and confirm deployments of Next.js and React Server Components are on secure versions, as GTIG advises. Prioritize systems exposed to the internet, then audit for compromise using the IoCs above.

For additional context on urgent patching, see Apple security patches fixing 50+ vulnerabilities, Microsoft patches addressing zero‑days, and a critical vulnerability case in ProjectSend.

Teams tracking framework flaws can also review the critical Zoom security bulletin for additional mitigation patterns.

Implications of the React2Shell vulnerability wave

Rapid and transparent disclosure gives defenders immediate, actionable guidance: patch affected React and Next.js versions, validate configurations, and monitor for GTIG’s indicators.

This focus enables faster containment and accelerates security vendor detection content for the CVE-2025-55182 exploit.

However, public exploit availability, combined with a CVSS 10.0 rating, increases the likelihood of widespread, low-cost attacks.

Because the React2Shell vulnerability impacts popular web frameworks, organizations of all sizes face heightened risk from automated scanning and mass exploitation.

Conclusion

GTIG’s alert is unambiguous: the React2Shell vulnerability demands immediate remediation. With active exploitation by espionage and criminal actors, every exposed minute increases risk.

Organizations running React Server Components or Next.js should patch now, confirm secure versions, and hunt for compromise using GTIG’s IoCs. Public exploit code ensures opportunistic probing will continue.

As campaigns evolve, MINOCAT, HISONIC, SNOWLIGHT, COMPOOD, and XMRig among them, rapid patching, rigorous monitoring, and disciplined credential controls are essential to blunt the CVE-2025-55182 exploit.

Questions Worth Answering

What is CVE-2025-55182?

– A critical React Server Components vulnerability enabling unauthenticated remote code execution, widely referenced as the React2Shell vulnerability.

Who is exploiting this flaw?

– Multiple groups, including China-nexus espionage actors and financially motivated cybercriminals, according to GTIG.

Which technologies are affected?

– Specific React and Next.js versions using React Server Components, especially internet-facing deployments.

What malware has been observed?

– MINOCAT, HISONIC, SNOWLIGHT, COMPOOD, and XMRig miners delivered via scripts like sex.sh.

Is exploit code publicly available?

– Yes. Reliable exploit chains and memory-resident web shells are circulating.

What immediate steps should teams take?

– Patch, verify secure versions, restrict exposure, and monitor for GTIG’s IoCs and unusual process or network activity.

When was it disclosed?

– December 3, 2025, with exploitation observed shortly afterward.

About Google Threat Intelligence Group (GTIG)

Google Threat Intelligence Group (GTIG) tracks advanced threat actors and high-impact cyber campaigns across the global ecosystem.

The team publishes actionable research that enables defenders to mitigate risks from zero-days, emerging exploits, and persistent intrusion sets.

By sharing indicators, tradecraft, and mitigation guidance, GTIG helps organizations respond quickly to critical vulnerabilities like the React2Shell vulnerability.