React2Shell lands on CISA’s KEV list: patch right away!

Following reports of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 5 put the React2Shell bug in its Known Exploited Vulnerabilities (KEV) catalog.

As the industry hit December's Patch Tuesday today, security pros said teams must patch right away given that the bug impacting React Server Components (RSC) – CVE-2025-55182 – has a 10.0 CVSS and was exploited by multiple Chinese state-sponsored threat groups, including Earth Lamia and Jackpot Panda.

React2Shell took the security world by storm last week when on Dec. 4 AWS researchers reported that the bug was actively exploited within hours of public disclosure the day before on Dec. 3.

Cloudflare determined that React2Shell was so dangerous that it sustained a short 25-minute outage while adding protections for the bug.

“Unlike many bugs that require luck or specific conditions to work, this exploit works 100% of the time against a vulnerable server,” said Ted Miracco, chief executive officer at Approov. “React2Shell is the perfect storm for enterprise security because of a fileless exploit that works deterministically and has already been weaponized by state actors in China.”

Miracco added that organizations must understand that if their backend API remains vulnerable, their mobile applications are effectively compromised, even if the client-side code is secure. Attackers are now using "in-memory" web shells, which Miracco said means they can take control of a server without writing files to the disk, bypassing standard antivirus or file-integrity monitoring tools. 

“The flaw has a CVSS score of 10.0,” pointed out Miracco. “It requires no authentication and no complexity!”

Jason Soroko, a senior fellow at Sectigo, explained that developers adopted RSC to make interfaces feel faster and reduce server costs. However, Soroko said in practice they turned a familiar UI library into a remote procedure engine that now sits directly on the network edge. A vulnerability in that engine gives attackers unauthenticated code execution with nothing more than a crafted HTTP request, said Soroko.

“The industry continues to reinvent serialization protocols that blend untrusted data with implicit execution, from classic Java deserialization bugs to today’s React Flight payloads,” said Soroko. “Each new abstraction pushes the dangerous parts further from the average product team’s mental model. Now, those teams must hunt through complex cloud estates where React server features may be buried inside microservices, serverless functions, or vendor appliances, while attackers only need to locate one forgotten instance among the many environments shown to be vulnerable in recent scans.” 

The real lesson here, according to Soroko: any new magic transport that lets servers call code on behalf of users should get treated as core infrastructure and subjected to the same threat modeling discipline as a database wire protocol or RPC framework, well before it becomes the default in production.

Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, said security teams should treat the React2Shell case as a “patch-now” situation because exploitation has happened simultaneously across the entire threat landscape. Beek said his team’s telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack.

“We’re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups,” said Beek. “Detection for this vulnerability is challenging, because attackers can change the structure and encoding of the exploit in many ways. There’s no single, reliable signature to look for, and some variants don’t leave any files or obvious traces on the system at all. That’s why defenders shouldn’t rely on detection rules alone. The most effective and immediate protection is to patch. It’s the only way to close off the entire exploitation path.”