React2Shell Attacks Escalate as Microsoft Confirms Hundreds of Compromised Systems

Overview

• Microsoft reports several hundred machines breached through CVE-2025-55182, with observed reverse shells, lateral movement, data theft and persistence.
• Palo Alto Networks’ Unit 42 tallies more than 60 victim organizations linked to exploitation of the vulnerability.
• VulnCheck has validated about 180 public exploits for React2Shell, the highest verified public exploit count recorded for a single CVE.
• Google Threat Intelligence and AWS say financially motivated actors and China- and Iran-linked groups are actively exploiting the bug across regions, and Cloudflare observed targeting of sensitive operators including a national authority for uranium and nuclear fuel trade.
• S-RM investigated a December 5 incident where Weaxor ransomware executed within a minute of access gained via React2Shell, with telltale indicators including node.exe spawning cmd.exe or powershell.exe.