Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling.
That’s the assessment from Alon Schindel, VP of AI and Threat Research at Wiz, who says CVE-2025-55182 – the React server-side vulnerability dubbed “React2Shell” – is now being actively exploited at scale, with researchers tracking at least 15 distinct intrusion clusters in the wild over the past 24 hours alone.
According to Wiz’s latest telemetry, roughly 50 percent of publicly exposed resources known to be vulnerable are still running unpatched code, giving attackers a comfortable head start.
The critical-severity flaw, first disclosed earlier this month, affects React Server Components and dependent frameworks such as Next.js and stems from unsafe deserialization in React’s server-side packages, allowing an unauthenticated attacker to send a crafted request to achieve remote code execution. As The Register previously reported, the bug quickly proved attractive to attackers because of React’s ubiquity in modern web stacks, particularly in cloud-hosted environments where a single exposed endpoint can provide a foothold into far larger estates.
What began as opportunistic scanning and cryptomining has now broadened into something messier. Wiz says it is seeing a clear split between “commodity” exploitation – dominated by familiar cryptomining operations using tools like Kinsing, C3Pool, and custom loaders – and more deliberate intrusion sets deploying post-exploitation frameworks and bespoke malware.
Among the clusters observed are Python-based campaigns masquerading as miner droppers while quietly exfiltrating secrets, Sliver command-and-control infrastructure used for hands-on-keyboard operations, and a JavaScript file injector that systematically infects every server-side *.js file it can reach. Wiz also reports the re-emergence of EtherRat backdoor variants, a family of malware that had previously fallen out of favor but appears to have been dusted off for this wave of exploitation.
The technical sophistication is also creeping upward. Multiple mniscreants are actively attempting to frustrate incident response by manipulating timestamps, minimizing logs, and otherwise scrubbing evidence of compromise. Those anti-forensics techniques, Wiz warned, suggest operators who expect to be hunted and intend to linger.
Other security firms are now corroborating that assessment. Palo Alto Networks’ Unit 42 team has linked the exploitation of CVE-2025-55182 to North Korean and Chinese threat groups. They stopped short of pinning it on any single baddie, but said the tooling and reused infrastructure look more like long-term intrusion work than smash-and-grab cryptomining.
“Unit 42 has identified activity that reportedly shares overlap with North Korean (DPRK) Contagious Interview tooling, though no formal attribution has occurred at this time. Contagious Interview is a campaign where threat actors associated with the DPRK pose as recruiters to install malware on the devices of job seekers in the tech industry,” Unit 42 said. “Additionally, we’ve observed instances of the Linux backdoor BPFDoor. This is a Linux implant attributed to Chinese-linked threat actor Red Menshen.”
React’s dominance means vulnerable code isn’t confined to obscure hobby projects, but sits inside production systems at startups, enterprises, and cloud-heavy organizations alike. Many of those deployments are internet-facing by design, and patching is not always straightforward.
As with so many modern web vulnerabilities, the danger is not just the bug itself but how quickly it becomes industrialized. React2Shell has already crossed that line, and with half the vulnerable surface still exposed, attackers have little incentive to move on just yet. ®