The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has asked federal agencies to patch recent vulnerabilities in React2Shell by December 12, 2025, amid reports of widespread exploitation.
This critical vulnerability is tracked as CVE-2025-55182 (CVSS score: 10.0) and affects the React Server Components (RSC) Flight protocol. The root cause of this issue is insecure deserialization that allows an attacker to inject malicious logic that causes the server to execute in a privileged context. Other frameworks such as Next.js, Waku, Vite, React Router, and RedwoodSDK are also affected.
“A single specially crafted HTTP request is sufficient; no authentication requirements, user interaction, or elevated privileges are required,” says Cloudforce One, Cloudflare’s threat intelligence team. “A successful exploit could allow the attacker to execute arbitrary privileged JavaScript on the affected server.”
Since this vulnerability was disclosed on December 3, 2025, this flaw has been exploited by multiple attackers in various campaigns, participating in reconnaissance operations, and distributing various malware families.
Following this development, CISA last Friday added the vulnerability to its catalog of known exploited vulnerabilities and gave federal agencies until Dec. 26 to apply a fix. The deadline was later changed to December 12, 2025 to reflect the seriousness of the incident.
Cloud security firm Wiz said it has observed a “rapid wave of opportunistic exploitation” of the flaw, with the majority of attacks targeting internet-facing Next.js applications and other containerized workloads running on Kubernetes and managed cloud services.
Image source: Cloudflare
Cloudflare, which is also tracking ongoing exploit activity, said the attackers conducted searches using Internet-wide scans and asset discovery platforms and discovered exposed systems running React and Next.js applications. Notably, some reconnaissance operations exclude Chinese IP address space from searches.
“Their highest-density investigations were conducted against networks in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand. These regions are frequently associated with geopolitical intelligence gathering priorities,” the web infrastructure company said.
The observed activity is said to also target government (.gov) websites, academic research institutions, and critical infrastructure operators, although to a more limited extent. This included national authorities responsible for importing and exporting uranium, rare metals, and nuclear fuel.
Some of the other notable discoveries are listed below.
Prioritize targeting sensitive technologies such as enterprise password managers and secure vault services for the purpose of conducting supply chain attacks Target edge-facing SSL VPN appliances that may have React-based components built into their management interfaces Initial scanning and exploitation attempts originating from IP addresses previously associated with Asia-related threat clusters
In an analysis of its own honeypot data, Kaspersky Lab said it recorded more than 35,000 exploit attempts in a single day on December 10, 2025, with attackers first probing the system by running commands such as whoami, and then dropping crypto miners and botnet malware families such as Mirai/Gafgyt variants and RondoDox.
Security researcher Rakesh Krishnan also discovered an Open Directory hosted at ‘154.61.77’.[.]105:8082” contains a proof-of-concept (PoC) exploit script for CVE-2025–55182 and two other files –
“domains.txt” contains a list of 35,423 domains. “next_target.txt” contains a list of 596 URLs, including companies such as Dia Browser, Starbucks, Porsche, and Lululemon.
It is estimated that an unknown attacker is actively scanning the Internet based on the targets added in the second file, infecting hundreds of pages in the process.
According to the latest data from The Shadowserver Foundation, as of December 11, 2025, there are more than 137,200 internet-exposed IP addresses running vulnerable code. Of these, more than 88,900 instances are located in the United States, followed by Germany (10,900), France (5,500), and India (3,600).
Source link
