Attacks exploiting the maximum severity React2Shell vulnerability in React Server Components, tracked as CVE-2025-55182, have enabled the deployment of several newly emergent malware payloads and cryptocurrency miners, according to The Hacker News.Aside from launching the 'sex.sh' bash script allowing XMRig 6.24.0 retrieval from GitHub and the PeerBlight Linux backdoor that ensures persistence, React2Shell abuse has also permitted the spread of the CowTunnel reverse proxy, the ZinFoq Linux ELF binary, and the 'd5.sh' dropper script delivering the Sliver C2 framework, as well as the d5.sh variant 'fn22.sh' and the Kaiji distributed denial-of-service malware variant 'wocaosinm.sh', Huntress researchers reported."Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling," said researchers.Such findings come as over 165,000 IP addresses and 644,000 domains, most of which are in the U.S., were discovered by The Shadowserver Foundation to be vulnerable to React2Shell. Meanwhile, over 50 organizations across several industries were noted by Palo Alto Networks Unit 42 to have already been compromised in React2Shell intrusions.
Vulnerability Management, Patch/Configuration Management, Threat Intelligence, Malware
Multiple payloads spread in React2Shell attacks

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



