Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

    Monday, December 15, 2025 In: Threat Research Print

    Date: 12/15/2025

    Severity: Medium

    Summary

    On December 3, 2025, a critical unauthenticated RCE vulnerability in React Server Components, tracked as CVE-2025-55182 (“React2Shell”), was publicly disclosed. Shortly thereafter, the team observed widespread exploitation by diverse threat actors, from cybercriminals to suspected espionage groups. Multiple campaigns were identified abusing the flaw to deploy tools including MINOCAT backdoor, SNOWLIGHT backdoor, HISONIC backdoor, COMPOOD backdoor, and XMRIG miners. Some activity overlaps with campaigns previously reported by Huntress. These attacks highlight the serious risk to organizations running unpatched React and Next.js versions. This post details the exploitation chains, post-compromise behavior, and guidance for detection and remediation.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    reactcdn.windowserrorapis.com

    IP Address : 

    82.163.22.139

    216.158.232.43

    45.76.155.14

    Hash :

    df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540

    92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3

    0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696

    13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274

    7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a

    776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "reactcdn.windowserrorapis.com" or url like "reactcdn.windowserrorapis.com" or siteurl like "reactcdn.windowserrorapis.com"

    Detection Query 2 :

    dstipaddress IN ("45.76.155.14","82.163.22.139","216.158.232.43") or srcipaddress IN ("45.76.155.14","82.163.22.139","216.158.232.43")

    Detection Query 3 :

    sha256hash IN ("92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3","0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696","13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274","df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540","7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a","776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182


    Tags

    MalwareVulnerabilityExploitReact2ShellCVE-2025Backdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.