React Under Siege: Two IPs Drive 56% of Critical CVE-2025-55182 Attacks

Two months after the disclosure of a catastrophic vulnerability in React Server Components, the attack landscape has shifted from chaotic experimentation to concentrated, industrial-scale exploitation. A new report from GreyNoise reveals that just two IP addresses are now responsible for the majority of attacks targeting CVE-2025-55182, a maximum-severity flaw that allows remote code execution without authentication.

The vulnerability, which carries a CVSS score of 10.0, turns development servers into open doors. As the report warns, the barrier to entry is non-existent: “Exploitation requires only a single HTTP POST request”.

In the weeks following the December 3, 2025 disclosure, attacks were widespread and varied. However, recent telemetry indicates a massive consolidation. Between January 26 and February 2, 2026, GreyNoise sensors detected that “two IP addresses now account for 56% of all observed exploitation attempts”.

While 1,083 unique sources are still taking potshots at vulnerable servers, these two heavy hitters are driving the volume:

• 193.142.147[.]209 is responsible for 34% of the traffic. This actor is purely profit-driven, deploying payloads that retrieve “cryptomining binaries from staging servers” to monetize compromised CPU cycles.
• 87.121.84[.]24 accounts for 22% of the activity. This source is more ominous, opening “reverse shells directly to the scanner IP,” granting the attacker interactive control over the victim’s machine.

The report notes a fascinating divergence in tactics: “Whether this represents two separate actors or compartmentalized infrastructure from a single actor remains unclear, but the behavioral distinction is notable”.

The attackers are specifically hunting for infrastructure that developers often leave exposed. While standard web ports (80, 443) see the highest volume, there is significant targeting of ports 3000, 3001, and 3002—the default homes for React development servers.

The danger is amplified by common misconfigurations. “React development servers configured with –host 0.0.0.0 for network accessibility are particularly exposed when internet-facing”.

With a public Metasploit module available and automation ramping up, the window for patching has effectively closed. The payloads being deployed are not merely scanners checking for the flaw; they are “active exploitation attempts deploying cryptominers and reverse shells”.

GreyNoise offers an assessment for those who have lagged on security updates: “Organizations running unpatched React Server Components should assume they have been targeted”.

Admins are urged to upgrade immediately to React versions 19.0.1, 19.1.2, or 19.2.1 to close this critical gap.

Related Posts:

• Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
• “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
• React2Shell: Max-Score RCE (CVSS 10.0) Triggers Widespread Exploitation by Espionage Groups & Miners
• “React2Shell” Crisis: Critical Vulnerability Triggers Global Cyberattacks by State-Sponsored Groups