Exploitation of Critical Vulnerability in React Server Components

    Tuesday, December 9, 2025 In: Threat Research Print

    Date: 12/09/2025

    Severity: High

    Summary

    A critical React Server Components vulnerability, CVE-2025-55182, allows unauthenticated remote code execution and has already been exploited in the wild. Attackers have conducted automated scanning, reconnaissance, credential theft, and deployed malicious scripts, droppers, and reverse shells, including activity linked to a PRC-associated access broker. With nearly a million exposed React and Next.js instances, the risk is severe, prompting urgent patching and the use of layered defensive controls to mitigate post-exploitation threats.

    Indicators of Compromise (IOC) List

    URLs/Domains

    http://46.36.37.85:12000/sex.sh

    http://115.42.60.223:61236/slt

    http://45.32.158.54/5e51aff54626ef7f/x86_64

    http://156.234.209.103:20912/get.sh

    http://156.234.209.103:20913/get.sh

    http://45.32.158.54/5e51aff54626ef7f/x86_64

    http://46.36.37.85:12000/sex.sh

    http://95.169.180.135:8443/pamssod

    http://res.qiqigece.top/nginx1

    http://146.88.129.138:5511/443nb64

    https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh

    https://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh

    reactcdn.windowserrorapis.com

    res.qiqigece.top

    IP Address

    115.42.60.223

    140.99.223.178

    156.234.209.103

    38.162.112.141

    45.32.158.54

    46.36.37.85

    47.84.79.46

    95.169.180.135

    45.134.174.235

    Hash

    a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4

    4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b

    1663d98c259001f1b03f82d0c5bee7cfd3c7623ccb83759c994f9ab845939665

    18c68a982f91f665effe769f663c51cb0567ea2bfc7fab6a1a40d4fe50fc382b

    1a3e7b4ee2b2858dbac2d73dd1c52b1ea1d69c6ebb24cc434d1e15e43325b74e

    1cdd9b0434eb5b06173c7516f99a832dc4614ac10dda171c8eed3272a5e63d20

    1e31dc074a4ea7f400cb969ea80e8855b5e7486660aab415da17591bc284ac5b

    2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4

    2ca913556efd6c45109fd8358edb18d22a10fb6a36c1ab7b2df7594cd5b0adbc

    4ff096fbea443778fec6f960bf2b9c84da121e6d63e189aebaaa6397d9aac948

    55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864

    62e9a01307bcf85cdaeecafd6efb5be72a622c43a10f06d6d6d3b566b072228d

    7d25a97be42b357adcc6d7f56ab01111378a3190134aa788b1f04336eb924b53

    7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a

    9c931f7f7d511108263b0a75f7b9fcbbf9fd67ebcc7cd2e5dcd1266b75053624

    ac2182dfbf56d58b4d63cde3ad6e7a52fed54e52959e4c82d6fc999f20f8d693

    ac7027f30514d0c00d9e8b379b5ad8150c9827c827dc7ee54d906fc2585b6bf6

    b38ec4c803a2d84277d9c598bfa5434fb8561ddad0ec38da6f9b8ece8104d787

    bc31561c44a36e1305692d0af673bc5406f4a5bb2c3f2ffdb613c09b4e80fa9f

    bf602b11d99e815e26c88a3a47eb63997d43db8b8c60db06d6fbddf386fd8c4a

    d704541cde64a3eef5c4f80d0d7f96dc96bae8083804c930111024b274557b16

    d9313f949af339ed9fafb12374600e66b870961eeb9b2b0d4a3172fd1aa34ed0

    e2d7c8491436411474cef5d3b51116ddecfee68bab1e15081752a54772559879

    ebdb85704b2e7ced3673b12c6f3687bc0177a7b1b3caef110213cc93a75da837

    f88ce150345787dd1bcfbc301350033404e32273c9a140f22da80810e3a3f6ea

    fc9e53675e315edeea2292069c3fbc91337c972c936ca0f535da01760814b125

    33641bfbbdd5a9cd2320c61f65fe446a2226d8a48e3bd3c29e8f916f0592575f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "reactcdn.windowserrorapis.com" or siteurl like "reactcdn.windowserrorapis.com" or url like "reactcdn.windowserrorapis.com" or domainname like "res.qiqigece.top" or siteurl like "res.qiqigece.top" or url like "res.qiqigece.top" or domainname like "http://res.qiqigece.top/nginx1" or siteurl like "http://res.qiqigece.top/nginx1" or url like "http://res.qiqigece.top/nginx1" or domainname like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or siteurl like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or url like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or domainname like "http://46.36.37.85:12000/sex.sh" or siteurl like "http://46.36.37.85:12000/sex.sh" or url like "http://46.36.37.85:12000/sex.sh" or domainname like "http://115.42.60.223:61236/slt" or siteurl like "http://115.42.60.223:61236/slt" or url like "http://115.42.60.223:61236/slt" or domainname like "http://156.234.209.103:20912/get.sh" or siteurl like "http://156.234.209.103:20912/get.sh" or url like "http://156.234.209.103:20912/get.sh" or domainname like "http://156.234.209.103:20913/get.sh" or siteurl like "http://156.234.209.103:20913/get.sh" or url like "http://156.234.209.103:20913/get.sh" or domainname like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or siteurl like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or url like "http://45.32.158.54/5e51aff54626ef7f/x86_64" or domainname like "http://95.169.180.135:8443/pamssod" or siteurl like "http://95.169.180.135:8443/pamssod" or url like "http://95.169.180.135:8443/pamssod" or domainname like "http://146.88.129.138:5511/443nb64" or siteurl like "http://146.88.129.138:5511/443nb64" or url like "http://146.88.129.138:5511/443nb64" or domainname like "https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh" or siteurl like "https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh" or url like "https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh" or domainname like "https://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh" or siteurl like "https://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh" or url like "https://sup001.oss-cn-hongkong.aliyuncs.com/123/python1.sh"

    Detection Query 2 :

    dstipaddress IN ("95.169.180.135","45.32.158.54","156.234.209.103","140.99.223.178","115.42.60.223","38.162.112.141","45.134.174.235","46.36.37.85","47.84.79.46") or srcipaddress IN ("95.169.180.135","45.32.158.54","156.234.209.103","140.99.223.178","115.42.60.223","38.162.112.141","45.134.174.235","46.36.37.85","47.84.79.46")

    Detection Query 3 :

    sha256hash IN ("a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4","4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b","62e9a01307bcf85cdaeecafd6efb5be72a622c43a10f06d6d6d3b566b072228d","33641bfbbdd5a9cd2320c61f65fe446a2226d8a48e3bd3c29e8f916f0592575f","55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864","1663d98c259001f1b03f82d0c5bee7cfd3c7623ccb83759c994f9ab845939665","18c68a982f91f665effe769f663c51cb0567ea2bfc7fab6a1a40d4fe50fc382b","1a3e7b4ee2b2858dbac2d73dd1c52b1ea1d69c6ebb24cc434d1e15e43325b74e","1cdd9b0434eb5b06173c7516f99a832dc4614ac10dda171c8eed3272a5e63d20","1e31dc074a4ea7f400cb969ea80e8855b5e7486660aab415da17591bc284ac5b","2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4","2ca913556efd6c45109fd8358edb18d22a10fb6a36c1ab7b2df7594cd5b0adbc","4ff096fbea443778fec6f960bf2b9c84da121e6d63e189aebaaa6397d9aac948","7d25a97be42b357adcc6d7f56ab01111378a3190134aa788b1f04336eb924b53","7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a","9c931f7f7d511108263b0a75f7b9fcbbf9fd67ebcc7cd2e5dcd1266b75053624","ac2182dfbf56d58b4d63cde3ad6e7a52fed54e52959e4c82d6fc999f20f8d693","ac7027f30514d0c00d9e8b379b5ad8150c9827c827dc7ee54d906fc2585b6bf6","b38ec4c803a2d84277d9c598bfa5434fb8561ddad0ec38da6f9b8ece8104d787","bc31561c44a36e1305692d0af673bc5406f4a5bb2c3f2ffdb613c09b4e80fa9f","bf602b11d99e815e26c88a3a47eb63997d43db8b8c60db06d6fbddf386fd8c4a","d704541cde64a3eef5c4f80d0d7f96dc96bae8083804c930111024b274557b16","d9313f949af339ed9fafb12374600e66b870961eeb9b2b0d4a3172fd1aa34ed0","e2d7c8491436411474cef5d3b51116ddecfee68bab1e15081752a54772559879","ebdb85704b2e7ced3673b12c6f3687bc0177a7b1b3caef110213cc93a75da837","f88ce150345787dd1bcfbc301350033404e32273c9a140f22da80810e3a3f6ea","fc9e53675e315edeea2292069c3fbc91337c972c936ca0f535da01760814b125")

    Reference:    

    https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/


    Tags

    VulnerabilityCVE-2025React jsNext.jsExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.