React2Shell: Max-Score RCE (CVSS 10.0) Triggers Widespread Exploitation by Espionage Groups & Miners
Ddos 
The cybersecurity landscape was jolted this month by the disclosure of a catastrophic vulnerability in one of the world’s most popular web development frameworks. Dubbed “React2Shell,” the flaw has triggered a frantic race between defenders patching systems and a diverse array of threat actors—from state-sponsored espionage groups to opportunistic crypto-miners—rushing to weaponize it.
A new report from the Google Threat Intelligence Group (GTIG) details the chaotic aftermath of the disclosure, revealing how sophisticated adversaries are already entrenched in victim networks.
On December 3, 2025, the security community was alerted to CVE-2025-55182, a critical vulnerability in React Server Components (RSC) that carries a maximum CVSS score of 10.0. The flaw allows unauthenticated attackers to execute arbitrary code on a server simply by sending a single, maliciously crafted HTTP request.
The reaction from the cyber underworld was instantaneous. “Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups”.
Because React and Next.js are foundational to the modern web, the attack surface is massive. “GTIG considers CVE-2025-55182 to be a critical-risk vulnerability”.
The most alarming activity identified in the report comes from China-nexus threat actors who rapidly integrated the exploit into their arsenals to deploy specialized malware. GTIG identified several distinct campaigns:
- The Tunnelers (UNC6600): This group was seen deploying MINOCAT, a sophisticated tunneler. They went to great lengths to hide their tracks, creating hidden directories like $HOME/.systemd-utils and ruthlessly killing legitimate processes to free up resources.
- The “Legitimate” C2 (UNC6603): This actor deployed an updated version of the HISONIC backdoor. In a clever move to blend in, HISONIC “utilizes legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration”.
- The Masqueraders (UNC6595): Deploying a malware dubbed ANGRYREBEL.LINUX, this group attempted to evade detection “by masquerading the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory” and using anti-forensics techniques like timestomping.
- The Vim Impostor (UNC6588): In a separate wave of attacks, actors used the exploit to download COMPOOD, a backdoor that disguised itself as the popular text editor Vim to avoid suspicion.
“GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress“.
Beyond espionage, financially motivated criminals joined the fray starting December 5, deploying XMRig miners to hijack server resources for cryptocurrency generation.
The chaos was further compounded by a flood of misinformation. In the initial hours post-disclosure, the internet was awash with fake exploits. One prominent repository “initially claiming to be a legitimate functional exploit, has now updated their README to appropriately label their initial research claims as AI-generated and non-functional”.
Organizations are urged to patch immediately, not just for the primary RCE flaw, but also for several follow-on vulnerabilities discovered in the aftermath.
Donate