A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploitation activities include deploying Linux loaders, establishing persistence, installing obfuscated JavaScript, and using cloud infrastructure for command and control. Both Chinese and North Korean state-sponsored groups are suspected to be involved in the attacks. The vulnerability's exploitation is expected to expand to opportunistic cybercriminals. Organizations are advised to prioritize patching the affected React infrastructure.