React2Shell weaponized by RondoDox botnet

Maximum severity React Server Components and Next.js vulnerability React2Shell, tracked as CVE-2025-55182, has been leveraged by the RondoDox botnet as part of an attack campaign that has been underway since March, reports The Hacker News.

After conducting initial reconnaissance, sweeping web app and internet of things device vulnerability scans, and widespread automated deployment between March and early December, RondoDox has proceeded to harness React2Shell as an initial access vector on targeted Next.js servers, which were then compromised with the '/nuts/poop' cryptominer and the '/nuts/bolts' botnet loader, as well as the Mirai botnet variant '/nuts/x86', according to a CloudSEK analysis. Additional findings showed the botnet loader to end other cryptominers and malware before primary bot binary retrieval, staving off potential reinfection by different threat actors. With nearly 68,400 instances still vulnerable to React2Shell by the end of 2025, organizations have been advised to not only promptly implement updates but also ensure network segmentation and launch Web Application Firewalls.