Headline
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. “KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.
“KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement.
“It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and, most alarmingly, features a ‘sleeper’ mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal.”
The cybersecurity company noted that it was previously mistakenly classified as BPFDoor, adding that the Linux backdoor offers interactive shell, command execution, file operations and lateral movement scanning capabilities. It also impersonates a legitimate Linux kernel swap daemon to evade detection.
In a related development, NTT Security said organizations in Japan are being targeted by cyber attacks exploiting React2Shell to deploy ZnDoor, a malware that’s been assessed to be detected in the wild since December 2023. The attack chains involve running a bash command to fetch the payload from a remote server (45.76.155[.]14) using wget and executing it.
A remote access trojan, it contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands are listed below -
- shell, to execute a command
- interactive_shell, to launch an interactive shell
- explorer, to get a list of directories
- explorer_cat, to read and display a file
- explorer_delete, to delete a file
- explorer_upload, to download a file from the server
- explorer_download, to send files to the server
- system, to gather system information
- change_timefile, to change the timestamp of a file
- socket_quick_startstreams, to start a SOCKS5 proxy
- start_in_port_forward, to start port forwarding
- stop_in_port, to stop port forwarding
The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads -
- UNC6600 to deliver a tunneling utility named MINOCAT
- UNC6586 to deliver a downloader named SNOWLIGHT
- UNC6588 to deliver a backdoor named COMPOOD
- UNC6603 to deliver an updated version of a Go backdoor named HISONIC that uses Cloudflare Pages and GitLab to retrieve encrypted configuration and blend in with legitimate network activity
- UNC6595 to deliver a Linux version of ANGRYREBEL (aka Noodle RAT)
Microsoft, in its own advisory for CVE-2025-55182, said threat actors have taken advantage of the flaw to run arbitrary commands for post-exploitation, including setting up reverse shells to known Cobalt Strike servers, and then dropping remote monitoring and management (RMM) tools such as MeshAgent, modifying the authorized_keys file, and enabling root login.
Some of the payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. The attacks are also characterized by the use of Cloudflare Tunnel endpoints (“*.trycloudflare.com”) to evade security defenses, as well as conducting reconnaissance of the compromised environments to facilitate lateral movement and credential theft.
The credential harvesting activity, the Windows maker said, targeted Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud with the end goal of acquiring identity tokens to burrow deeper into cloud infrastructures.
“Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets,” the Microsoft Defender Security Research Team said. “Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials, were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.”
In another campaign detailed by Beelzebub, threat actors have been observed exploiting flaws in Next.js, including CVE-2025-29927 and CVE-2025-66478 (the same React2Shell bug before it was rejected as a duplicate), to enable systematic extraction of credentials and sensitive data -
- .env, .env.local, .env.production, .env.development
- System environment variables (printenv, env)
- SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, /root/.ssh/*)
- Cloud credentials (~/.aws/credentials, ~/.docker/config.json)
- Git credentials (~/.git-credentials, ~/.gitconfig)
- Command history (last 100 commands from ~/.bash_history)
- System files (/etc/shadow, /etc/passwd)
The malware also proceeds to create persistence on the host to survive system reboots, install a SOCKS5 proxy, establish a reverse shell to “67.217.57[.]240:888,” and install a React scanner to probe the internet for further propagation.
The activity, codenamed Operation PCPcat, is estimated to have already breached 59,128 servers. “The campaign shows characteristics of large-scale intelligence operations and data exfiltration on an industrial scale,” the Italian company said.
The Shadowserver Foundation is currently tracking over 111,000 IP addresses vulnerable to React2Shell attacks, with over 77,800 instances in the U.S., followed by Germany (7,500), France (4,000), and India (2,300). Data from GreyNoise shows that there are 547 malicious IP addresses from the U.S., India, the U.K., Singapore, and the Netherlands partaking in the exploitation efforts over the past 24 hours.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as…
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT. "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and
It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According
A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76. All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately. <sup>1</sup> The affected React packages are: - react-server-dom-parcel - react-server-dom-turbopack - react-server-dom-webpack
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in
Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the
Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.
# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js versions `11.1.4` thru `13.5.6`, consult the below workaround. # Workaround If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)