React2Shell fallout spreads to sensitive targets as public exploits hit all-time high
Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing.
Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday.
The full scope of attacker interest in the vulnerability is magnified by an unparalleled number of publicly available exploits — underscoring the relative ease and myriad ways unauthenticated attackers can trigger the defect to elevate privileges and pivot into other parts of targeted networks.
VulnCheck confirmed about 180 valid public exploits for React2Shell as of Monday with dozens more still under review. “React2Shell CVE-2025-55182 now has the highest verified public exploit count of any CVE,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop.
Ongoing clean-up efforts for React2Shell also led to the discovery of three new defects affecting React Server Components last week, including CVE-2025-55183 and CVE-2025-67779, which fixes an apparent bypass for CVE-2025-55184, she said.
“The worst-case scenario on many defenders’ minds presently is that a true patch bypass for CVE-2025-55182 might arise. So far, this hasn’t come to pass,” Condon added.
Researchers continue to urge organizations to apply the patch for CVE-2025-55182, but note that the additional CVEs are not addressed in some early versions of the patch. And, of course, patching won’t evict attackers that already gained access to systems.
Attacks of different origins and motivations continue to spread globally.
Google Threat Intelligence said it has observed financially motivated attackers and at least five Chinese espionage threat groups exploiting the defect across multiple regions and industries. GTIG said it also identified attacks attributed to Iran, but it did not provide more information.
Amazon previously said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.
Cybersecurity firm S-RM said it responded to a ransomware attack Dec. 5 that involved React2Shell exploitation as an initial access vector. Attackers executed Weaxor ransomware within a minute of gaining access to the victim’s network, the company said in a blog post Tuesday.
Evidence of spiking malicious activity, including exploitation attempts, is showing up across the threat intelligence landscape.
Cloudflare said multiple Asia-based threat groups have been meticulous in targeting networks in Taiwan, the autonomous region of Xinjiang Uygur, Vietnam, Japan and New Zealand, yet other selective targets were observed, including U.S. government websites, academic research institutions and critical infrastructure operators.
“These infrastructure operators specifically included a national authority responsible for the import and export of uranium, rare metals and nuclear fuel,” Cloudflare’s threat intelligence team wrote in a blog post.
Several U.S.-based state and federal government agencies have been targeted, but there’s no confirmed exploitation, Blake Darché, head of threat intelligence at Cloudflare, told CyberScoop. The Cybersecurity and Infrastructure Security Agency declined to comment on attempted attacks against government agencies.
“Victimology has now evolved to be universal, with critical infrastructure targets just a small slice of all organizations and industries under attack,” Darché added.
While successful compromises are outside of GreyNoise’s visibility, malicious activity spotted by its sensors are continuing to pop off, according to Andrew Morris, the company’s founder and chief architect.
“Exploitation is still very high with the number of cumulative networks exploiting this vulnerability reaching all-time highs almost every single day since disclosure,” he wrote in a LinkedIn post Tuesday.
React2Shell has prompted widespread alarm in the two weeks since the vulnerability was first disclosed in the widely used application framework, and researchers expect the defect to have long-lasting impacts.
Austin Larsen, principal analyst at GTIG, said the critical vulnerability will likely be one of the more consequential defects it observed under active exploitation this year.
A debate that initially ensued in some industry circles over the seriousness and viable impact of the defect has effectively ended.
“Exploitation timelines are shrinking from weeks to hours,” Dan Perez, technology lead at GTIG, told CyberScoop. “Every new vulnerability presents a race against time. Every minute that a system remains unpatched is a minute that a threat actor can use that to their advantage, which gives organizations a razor-thin margin for error.”
