216.73.217.22

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

· Published 13/12/2025 10:37 · Modified 21/12/2025 19:03

Export JSON

Essential information

Published
13/12/2025 10:37
Modified
21/12/2025 19:03
Tags
2025-12-13 CVE-2025-55182 react2shell remote code execution
Related entities
5 vulnerabilities (cve), 7 observables, 17 techniques (mitre), 6 malware, 9 others

Description

A critical vulnerability in React Server Components, , has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, COMPOOD backdoor, and XMRIG cryptocurrency miners. The vulnerability affects multiple versions of React packages and has a CVSS score of 10.0. Exploitation chains include the use of bash scripts, cURL, and wget to download and execute payloads. Affected organizations are advised to patch immediately, deploy WAF rules, audit dependencies, monitor network traffic, and hunt for indicators of compromise.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (5)

CVE-2025-55184
7.5 High

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …

Attack vector
NETWORK
Published
11/12/2025
Modified
21/12/2025
Modified
CVE-2025-55183
5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector
NETWORK
Published
11/12/2025
Modified
21/12/2025
Analyzed
CVE-2025-67779
7.5 High

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …

Published
12/12/2025
Modified
12/12/2025
Modified
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2025-66478

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published
20/12/2025
Modified
21/12/2025
Rejected

Observables (7)

  • 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274
  • 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a
  • 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3
  • df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540
  • 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce
  • 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
  • 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696

Techniques (MITRE) (17)

Malware (6)

  • COMPOOD
    Family
    Published 28/01/2026 13:31 · Modified 28/01/2026 13:31
  • SNOWLIGHT
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • ANGRYREBEL.LINUX
    Family
    Published 13/12/2025 10:37 · Modified 13/12/2025 10:37
  • HISONIC
    Family
    Published 13/02/2026 09:23 · Modified 13/02/2026 09:23
  • MINOCAT
    Family
    Published 13/12/2025 10:37 · Modified 13/12/2025 10:37
  • XMRig
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56

Others (9)

  • Taiwan
  • China
  • Finance
  • Government and administrations
  • Technologies
  • reactcdn.windowserrorapis.com
  • G_Hunting_Downloader_SNOWLIGHT_1
  • G_Backdoor_COMPOOD_1
  • G_APT_Tunneler_MINOCAT_1

External references