216.73.217.22

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

· Published 15/12/2025 21:41 · Modified 21/12/2025 19:05

Export JSON

Essential information

Published
15/12/2025 21:41
Modified
21/12/2025 19:05
Tags
2025-12-15 CVE-2025-55182 etherrat react2shell remote code execution snowlight vshell vulnerability
Related entities
6 vulnerabilities (cve), 50 observables, 19 techniques (mitre), 6 malware, 9 others

Description

, also known as , is a critical pre-authentication affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation has been detected since December 5, 2025, primarily in red team assessments but also in real-world attacks delivering coin miners. The stems from a failure to validate incoming payloads in React Server Components, enabling attackers to inject malicious structures leading to prototype pollution and . Post-exploitation activities include running reverse shells, achieving persistence, evading security defenses, and attempting lateral movement to cloud resources.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (6)

CVE-2021-27065 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published
03/11/2021
Modified
20/12/2025
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2021-26858 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published
03/11/2021
Modified
21/12/2025
CVE-2021-26855 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published
03/11/2021
Modified
20/12/2025
CVE-2021-26857 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published
03/11/2021
Modified
21/12/2025
CVE-2025-66478

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published
20/12/2025
Modified
21/12/2025
Rejected

Observables (50)

  • 46.36.37.85
  • 92.246.87.48
  • 194.69.203.32
  • http://194.69.203.32:81/hiddenbink/colonna.arc
  • http://194.69.203.32:81/hiddenbink/react.sh
  • https://overcome-pmc-conferencing-books.trycloudflare.com/p.png
  • http://krebsec.anondns.net:2316/dong
  • http://xpertclient.net:3000/sex.sh
  • http://donaldjtrmp.anondns.net:1488/labubu
  • http://anywherehost.site/xms/kill2.sh
  • https://ghostbin.axel.org/paste/evwgo/raw
  • http://196.251.100.191/no_killer/Exodus.x86
  • http://194.69.203.32:81/hiddenbink/colonna.i686
  • http://superminecraft.net.br:3000/sex.sh
  • http://196.251.100.191/no_killer/Exodus.arm4
  • http://196.251.100.191/no_killer/Exodus.x86_64
  • http://labubu.anondns.net:1488/dong
  • http://anywherehost.site/xms/k1.sh
  • 69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03
  • f0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf
  • 0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a
  • 7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398
  • b33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8
  • 59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700
  • 717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2
  • c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c
  • d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d
  • 7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171
  • c6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad
  • 244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f
  • 9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083
  • 9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331
  • 82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d
  • f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b
  • 661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1
  • d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f
  • 317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e
  • f0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b
  • 4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d
  • 68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df
  • b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8
  • b568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560
  • f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7
  • 876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13
  • 7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5
  • d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a
  • 240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b
  • 8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f
  • 2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457
  • b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f

Techniques (MITRE) (19)

  • T1078
    Valid Accounts
  • T1069
    Permission Groups Discovery
  • T1055
    Process Injection
  • T1053
    Scheduled Task/Job
  • T1562
    Impair Defenses
  • T1016
    System Network Configuration Discovery
  • T1505.003
    Web Shell
  • T1027
    Obfuscated Files or Information
  • T1190
    Exploit Public-Facing Application
  • T1105
    Ingress Tool Transfer
  • T1059
    Command and Scripting Interpreter
  • T1539
    Steal Web Session Cookie
  • T1087
    Account Discovery
  • T1033
    System Owner/User Discovery
  • T1021
    Remote Services
  • T1552
    Unsecured Credentials
  • T1218
    System Binary Proxy Execution
  • T1580
    T1580
  • T1082
    System Information Discovery

Malware (6)

  • SNOWLIGHT
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • ShadowPad - S0596
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • POISONPLUG.SHADOW
    Family
    Published 30/04/2026 19:11 · Modified 30/04/2026 19:11
  • EtherRAT
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27
  • VSHELL
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • XMRig
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56

Others (9)

  • superminecraft.net.br
  • anywherehost.site
  • labubu.anondns.net
  • overcome-pmc-conferencing-books.trycloudflare.com
  • xpertclient.net
  • ghostbin.axel.org
  • vps-zap812595-1.zap-srv.com
  • donaldjtrmp.anondns.net
  • krebsec.anondns.net

External references