Microsoft has warned that exploitation of the React2Shell vulnerability is escalating rapidly and now poses a significant operational and security risk to organizations worldwide.
In a recent blog post, Microsoft confirmed that several hundred machines across a wide range of industries have already been compromised through this flaw.
React2Shell affects React Server Components (RCS), a core part of modern React based web applications. Given how widely React is deployed, the attack surface is vast.
Table of Contents
What is React2Shell
The vulnerability is tracked as CVE-2025-55182 and carries a 10 out of 10 critical severity rating.
It is a pre-authentication bug that allows attackers to execute arbitrary system commands without valid credentials.
The issue impacts multiple versions of React packages, prompting the React team to release emergency patches earlier this month. Fixed versions include:
- 19.0.1
- 19.1.2
- 19.2.1
Security researchers warned at the time that public disclosure would likely trigger mass exploitation. According to Microsoft, that prediction has now been fully realized.
How attackers are abusing the flaw
Microsoft reports that threat actors are using React2Shell to:
- Execute arbitrary OS level commands
- Deploy malware droppers
- Install cryptominers
- Move laterally inside compromised networks
- Blend malicious traffic with legitimate application activity
- Following public disclosure, attack volume increased sharply as additional actors began deploying memory-resident downloaders and stealthier payloads to avoid detection.
State-linked groups now involved
Amazon Web Services previously reported that two China-linked threat groups, Earth Lamia and Jackpot Panda, were among the first to weaponize the vulnerability.
Their campaigns targeted organizations across:
- Financial services
- Logistics and retail
- IT services
- Universities
- Government institutions
Victims have been identified across Latin America, the Middle East, and Southeast Asia. The primary objectives appear to be persistence and long-term cyber espionage.
More recently, Microsoft confirmed that North Korean state-sponsored actors have also joined the exploitation wave.
EtherRAT raises the stakes
Unlike earlier campaigns focused on cryptomining and basic persistence, North Korean attackers are using React2Shell to deploy a new malware strain called EtherRAT.
Microsoft describes EtherRAT as far more sophisticated than previous payloads. It functions as a persistent access implant and combines techniques observed across at least three known North Korean malware campaigns.
This marks a shift from opportunistic exploitation toward higher-value intelligence collection and long-term access operations.
Why this vulnerability is especially dangerous
React underpins a massive portion of modern web infrastructure. Many organizations deploy React Server Components deep inside trusted application stacks, often exposed to the internet by design.
This makes React2Shell particularly dangerous because:
- Exploitation does not require authentication
- Malicious activity blends with legitimate app traffic
- Compromised servers often have access to sensitive backend systems
Microsoft stresses that unpatched systems should be considered actively at risk.
What organizations should do now
Microsoft and the React team strongly advise:
- Immediate upgrading to patched React versions
- Reviewing server logs for suspicious RCS activity
- Monitoring for unusual process execution and outbound traffic
- Isolating exposed application servers where possible
Given the diversity of threat actors now abusing the flaw, delayed patching significantly increases the likelihood of compromise.
