A critical security threat is unfolding, and it's hitting close to home for developers and users alike. The React2Shell vulnerability, tracked as CVE-2025-55182, is a dangerous remote code execution (RCE) flaw that has been unleashed in the wild.
Here's the catch: GreyNoise researchers have spotted widespread automated attacks exploiting a deserialization issue in the React Server Components Flight protocol. This vulnerability is a gateway for unauthenticated RCE, impacting React and its related ecosystems, including Next.js.
But here's where it gets controversial—the attack campaign is highly automated. GreyNoise data reveals a pattern where attackers are leveraging both new and old systems, with HTTP and TCP fingerprints indicating heavy automation rather than typical user browsing.
And this is the part most people miss—the vulnerability has already been integrated into notorious botnets like Mirai. Hackers are using publicly available proof-of-concept code to gain initial access, then deploying multi-stage payloads with PowerShell arithmetic operations for validation.
The attack chain is intricate. It begins with simple PowerShell commands for validation, followed by encoded PowerShell stagers that download additional payloads, employing obfuscation and AMSI bypass techniques. Traffic analysis reveals a mix of user agents, including Go-http-client, Assetnote scanners, and spoofed browser strings, a classic sign of early exploitation.
The geographical distribution of attack sources is concentrated in the Netherlands, China, the US, and Hong Kong, with many IPs first appearing in December 2025. GreyNoise offers a proactive solution—the GreyNoise Block feature, which can instantly block malicious IPs associated with this campaign.
Enterprise users have access to advanced blocklists, allowing precise filtering based on ASN, JA4 fingerprints, and destination countries. Endpoint detection strategies should target PowerShell process creation with encoded commands and suspicious functions. Additionally, organizations must urgently patch vulnerable React Server Components and Next.js deployments.
Stay vigilant by monitoring for PowerShell arithmetic validation attempts, which are telltale signs of exploitation. Keep up with the latest cybersecurity news by following us on Google News, LinkedIn, and X. And remember, in the ever-evolving world of cybersecurity, staying informed is your best defense.
