• Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) Google Threat Intelligence Group Google Threat Intelligence Visibility and context on the threats that matter most. • Contact Us & Get a DemoWritten by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. • 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka “React2Shell”), was publicly disclosed. • Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. • GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress. • These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js.
Article Summaries:
- Google Threat Intelligence Group (GTIG) reports that the critical unauthenticated remote‑code‑execution flaw CVE‑2025‑55182-dubbed “React2Shell”-has been widely exploited since its public disclosure on Dec. 3, 2025. The vulnerability, affecting React Server Components in popular frameworks such as Next.js, allows attackers to send a single HTTP request that runs arbitrary code with the web‑server’s privileges. GTIG has identified multiple campaigns using the flaw to drop backdoors (MINOCAT, SNOWLIGHT, HISONIC, COMPOOD), deploy XMRIG miners, and establish tunneling. The attacks span opportunistic cyber‑crime groups to suspected espionage actors, underscoring the urgent need for patching and monitoring.
Sources: