Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday. 

Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday. 

Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.

A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout. 

Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.

As of late Friday, Unit 42 has confirmed more than 30 organizations across various sectors are impacted. 

“Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015, also known as UNC5174, a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” said Justin Moore, senior manager of threat intel research at Unit 42. 

“In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015,” he added. 

More broadly, Moore said Unit 42 has “observed scanning for vulnerable remote-code execution, reconnaissance activity, attempted theft of Amazon Web Services configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure.”

Ben Harris, CEO and founder of watchTowr, said his team has observed indiscriminate exploitation, describing the malicious activity as rapid and prolific.

“Post-exploitation we’ve seen everything from basic extraction of credentials through to webshell deployments as a stepping stone to further activities,” Harris said. 

Multiple Wiz customer environments have been impacted by successful exploitation as well, according to Amitai Cohen, the company’s threat vector intel lead. 

“So far, we’ve observed deployments of cryptojacking malware and attempts to extract cloud credentials from compromised machines,” he said. “These early-stage activities are consistent with common post-exploitation objectives like resource hijacking and establishing further access.”

Researchers from multiple firms said attempted and successful exploitation has increased following the release of public PoCs. The potential scope of impact is significant, as 39% of cloud environments contain instances of React or Next.js, a separate open-source library that depends on React Server Components, running versions vulnerable to CVE-2025-55182, according to Wiz Research.

“The Next.js framework itself is present in 69% of environments, and 44% of all cloud environments have publicly exposed Next.js instances — regardless of the version running,” Cohen said.

Further complicating matters, Vercel, the company behind Next.js, disclosed and issued a patch Wednesday for its own maximum-severity vulnerability — CVE-2025-66478 — but the CVE was rejected because it’s a duplicate of the React defect, the root cause. 

Multiple threat groups are mobilizing resources to exploit the vulnerability for various objectives. 

“There are remote-code execution PoCs around now. It’s definitely already started, which means ransomware gangs follow. They don’t ignore opportunities for money,” Harris said.

Within hours of the public disclosure of the vulnerability, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda,” CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Thursday.

Unit 42 said it, too, is tracking attempted exploitation from several possible China-linked threat actors and cybercriminals. 

Automated, opportunistic exploitation attempts based on a publicly released PoC have been widespread, said Noah Stone, head of content at GreyNoise Intelligence. The firm’s sensors have captured malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan and Singapore targeting services based in the United States, Pakistan, India, Singapore and the United Kingdom, he said. 

VulnCheck’s decoy systems, which act as an early warning sign of vulnerability exploitation, have also observed exploitative scanning, said Caitlin Condon, the company’s vice president of research. “VulnCheck has been looking at patch rates on exposed Next.js apps, and we didn’t see a lot of patched systems,” she added.

Patching and mitigating the vulnerability isn’t without risk, either. Cloudflare said it experienced a temporary outage that was triggered by changes it made to its body parsing logic to detect and mitigate the vulnerability Friday.

As security researchers debate the viability of PoCs for the React vulnerability and visibility into actual attacks differs across the community, there’s no doubt the defect, which affects one of the most extensively used application frameworks, has captured sweeping interest and attention.

“This whole story is wild,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This has been a real rollercoaster.”

The post Attackers hit React defect as researchers quibble over proof appeared first on CyberScoop.

Security researchers and code developers are scrambling to patch and investigate a critical vulnerability affecting React Server Components, an open-source library used widely across the internet and embedded into many essential software frameworks.

The rapid response underscores the potential consequences of exploitation. Although no attacks have been observed or reported, researchers expect them soon and are urgently mobilizing resources to address the defect.

The vulnerability – CVE-2025-55182 – was discovered by Lachlan Davidson, a developer and lead of security innovation at Carapace, and reported to Meta on Saturday. Meta and the React team created a patch and worked with affected hosting providers to address the defect Monday before the public disclosure on Wednesday.

“The reason there’s been such a measured response to this vulnerability is because exploitation is inevitable,” Ben Harris, CEO and founder of watchTowr, told CyberScoop. “We should be expecting attackers to start exploiting this vulnerability truly imminently.” 

React is one of the most extensively used application frameworks, putting large swaths of web applications at risk. “Our data shows that these libraries can be found in vulnerable versions in around 39% of cloud environments,” said Amitai Cohen, threat vector intel lead at Wiz.

Researchers warn that exploitation of the deserialization defect is trivial and allows unauthenticated attackers to achieve remote code execution in default configurations, resulting in elevating privileges or pivots into other parts of a network. “The impact on the resources stored on that system could be devastating should things like access keys or other secrets or sensitive information be present,” said Stephen Fewer, senior principal researcher at Rapid7.

Prior to public disclosure, security researchers from Meta, which initially created and maintained React before moving the open-source library to the React Foundation in October, worked behind the scenes to notify affected organizations of the defect and shared temporary steps for mitigation such as web application firewall rules.

“While we are actively investigating and have no evidence that this vulnerability has been exploited at this time, we want to make all developers aware of this issue so they can implement the appropriate mitigations quickly,” a Meta spokesperson said in a statement.

The vulnerability affects multiple React frameworks and bundlers, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and likely others that haven’t been identified yet, according to researchers. Vercel, the company behind Next.js, disclosed and issued a patch for its own maximum-severity vulnerability — CVE-2025-66478 — due to its dependency on React Server Components. 

Researchers from Wiz, Rapid7, watchTowr and other security firms warned that ensuing fallout from other frameworks or libraries that depend on React Server Components is likely, and long-tail impacts will persist in environments that are less maintained or difficult to update.

It’s unclear why Vercel assigned a separate CVE for Next.js since the upstream defect in React, CVE-2025-55182, is the root cause, but the vendor could be tracking impact on its own product, Fewer said. “It should not be necessary to assign a new CVE for each React-dependent framework, so long as the root cause remains the same as the original CVE-2025-55182 issue,” he added.

Cale Black, senior researcher at VulnCheck, said upstream dependency vulnerabilities tend to be handled on a per-project basis. “Projects with more mature security processes will release their own remediation guidance, and potentially over CVEs,” he said.

Meanwhile, threat hunters are steeling themselves for active exploitation and expect technical details and exploit code to be publicly available shortly. 

“With the entire internet looking at a solution that’s used everywhere to understand this vulnerability, someone will figure it out,” Harris said. “I have no doubt that by tomorrow morning, when I wake up, there will be easily one, if not more ways to reproduce this vulnerability.”

The post Developers scramble as critical React flaw threatens major apps appeared first on CyberScoop.