The React2Shell Crisis : How CVE-2025-55182 Impacts Enterprise Data Protection

Overview

Cohesity REDLab has released updates to its threat library in response to active exploitation of CVE-2025-55182 dubbed as React2Shell. On December 3, 2025, React publicly disclosed React2Shell, a critical unauthenticated remote code execution (RCE) vulnerability tracked as CVE-2025-55182. Assigned a CVSS 3.x score of 10.0 and CVSS 4.0 score of 9.3, this flaw resides within React Server Components, enabling remote attackers to execute arbitrary commands on vulnerable servers via crafted HTTP requests - without authentication and under the privileges of the web server process. Within 24 hours, exploitation was observed in the wild, with broad scanning and automated compromise attempts targeting internet-facing servers and applications built with frameworks such as Next.js, where React Server Components are deeply embedded as transitive dependencies.

Multiple threat actors, from opportunistic cryptominers to advanced espionage groups, are now actively abusing React2Shell. Payloads delivered through the vulnerability include XMRig, PeerBlight, CowTunnel, ZinFoq, and Sliver, alongside targeted implants used by China-linked and North Korea-linked operators. For organizations responsible for protecting critical data and backup infrastructure, this vulnerability represents an immediate risk: remote code execution on a front-end server is sufficient for attackers to pivot, harvest credentials, exfiltrate sensitive data, or attempt to corrupt or delete backup copies.

This blog traces how attackers exploit React2Shell across each phase of the kill chain and highlights how Cohesity’s anti-ransomware, threat hunting, and immutable backup capabilities help detect, contain, and recover from such campaigns.

1.   Initial Access: Unauthenticated RCE via React2Shell

Attackers begin by scanning for applications exposing vulnerable React Server Component endpoints. Because React is widely bundled into other ecosystems, including cloud-native apps and server-side rendering frameworks, organizations frequently remain unaware they are running affected versions.

A single malicious HTTP request is sufficient to achieve code execution. More sophisticated actors, including Earth Lamia and Jackpot Panda, selectively targeted high-value environments such as enterprise applications, online gambling platforms, and SaaS portals. Meanwhile, North Korea-linked operators weaponized the flaw to deliver EtherRAT, a new RAT leveragng “EtherHiding”, a technique that stores command-and-control instructions across Ethereum smart contracts.

From a data-protection standpoint, this initial foothold is severe. A compromised web server can give attackers a launching pad to reach authentication stores, service accounts, administrative dashboards, or data management APIs that eventually access backup environments.

2.   Execution: Dropping Miners, Backdoors, and Implants

Once the RCE payload is executed, attackers deploy a range of tools:

• XMRig cryptominers for profit-driven campaigns
• PeerBlight and CowTunnel backdoors for persistent control
• ZinFoq, a Go-based post-exploitation implant
• Sliver, used widely for lateral movement and C2
• EtherRAT, which implants multiple persistence mechanisms and self-updating features

China-linked threat actors have been observed uploading payloads into /tmp, executing reconnaissance commands, and pulling additional malware using curl, wget, or self-propagating scripts. These behaviors are consistent across malware families such as MINOCAT, CHAOS, COMPOOD, VSHELL, and SNOWLIGHT.

These execution anomalies form some of the earliest signals that backup administrators can use to trace attacker activity in the environment.

3.   Persistence: Implants and System Modification

Persistence mechanisms vary by threat actor:

• EtherRAT deploys five independent persistence mechanisms, including - Systemd service installation, Cron job scheduling, Updater scripts, User-level autorun configs, SSH key modification
• Other actors create systemd services for commodity miners or hide backdoors under innocuous filenames in /usr/lib.
• Some campaigns drop VM agents or establish tunnels (via FRP, CowTunnel) to maintain remote access.

These activities can have cascading effects on enterprise data protection. Persistent control over front-end systems allows adversaries to:

• Maintain long-term access to laterally discover backup storage endpoints
• Extract credentials used by data protection workloads
• Attempt unauthorized interaction with backup APIs
• Map the environment before initiating destructive ransomware operations

Cohesity’s immutable backup snapshots ensure that even if attackers achieve persistence and later attempt to delete or encrypt backups, historical versions remain protected and recoverable through DataLock and Quorum-based controls.

4.   Privilege Escalation: Moving from Web Server to Infrastructure Access

Most React2Shell exploitation begins with the privilege context of the web server. Threat actors escalate privileges through:

• Abusing misconfigured sudo privileges
• Harvesting credentials from application logs, environment variables, or config files
• Leveraging chained vulnerabilities discovered during scanning, for example NUUO Camera CVE-2025-1338
• Deploying Sliver or ZinFoq to perform password spraying, token theft, and SSH key collection

Earth Lamia, for instance, has a history of chaining multiple vulnerabilities to ascend privilege levels.This telemetry is critical for early containment, especially before attackers reach high-value servers or file shares.

5.   Lateral Movement

After gaining system-level access, attackers pivot across the network using:

• SSH tunneling via CowTunnel or FRP
• Reverse proxies that disguise outbound communication
• Credential reuse from compromised web infrastructure
• Enumeration of internal services using built-in commands
• Sliver-based pivoting and port scanning

Some observed attackers exfiltrated /etc/passwd, searching for key vaults or cloud metadata services, and scanning additional systems for exploitable software.

6.  Command & Control (C2): Decentralized, Smart-Contract, and Proxy-Based Infrastructure

React2Shell campaigns use a diverse array of C2 channels:

• EtherHiding, which leverages Ethereum smart contracts and nine public RPC nodes to resolve C2 infrastructure
• Sliver-based encrypted channels
• Reverse HTTP tunnels via Metasploit payloads
• CowTunnel and FRP-based reverse proxies
• Simple curl/wget beacons to minimally detectable URLs

7.   Exfiltration & Ransomware Deployment

React2Shell exploitation serves multiple end goals depending on the actor:

1. Cryptomining (opportunistic actors)

Systems are co-opted for resource theft, often without significant lateral movement.

2. Espionage (China-linked, North Korea-linked groups)

To collect credentials, internal documents, configuration backups, source code, or cloud secrets.

3. Destructive ransomware campaigns (financially motivated threat groups)

While not yet widely observed for React2Shell, the pattern of deployment toolkits such as METASPLOIT, Sliver, CHAOS, and VSHELL shows potential for:

• Ransomware staging
• Backup destruction attempts
• Mass-encryption attacks
• Exfiltration prior to extortion

Cohesity Recommendations and Defensive Actions

1. Patch React immediately
Upgrade to React 19.0.1, 19.1.2, or 19.2.1.

2. Identify any frameworks that bundle React Server Components
Especially Next.js and other ecosystem tools.

3. Use Cohesity Rapid Threat Hunt
Run Rapid Threat Hunt with the Cohesity default threat library. Or perform manual IOC searches across:

• File hashes associated with XMRig, PeerBlight, CowTunnel, ZinFoq
• EtherRAT and EtherHiding infrastructure
• Strange activity in /tmp, systemd entries, cron tasks

4. Review backup and service account permissions
Limit privileges to least privilege; rotate credentials if front-end compromise is suspected.

5. Validate backup immutability
Ensure DataLock and Quorum-based deletion protection are enforced.

6. Perform a global Anti Ransomware scan across recent snapshots
Look for unexpected modifications, unusual churn, or entropy spikes that may indicate destructive or staging activity.

Conclusion

React2Shell highlights the expanding threat surface created by modern, componentized software ecosystems. A single vulnerability in a widely deployed library can rapidly cascade across frameworks, cloud workloads, and enterprise applications. For attackers, unauthenticated RCE offers a frictionless entry point to launch miners, stage espionage operations, deploy RATs, or begin a ransomware kill chain.

For defenders, especially those responsible for safeguarding critical data, the ability to detect, contain, and rapidly recover from such intrusions is paramount. Cohesity’s anti-ransomware capabilities, combined with threat scanning and immutable backups, provide the resilience organizations need when facing fast-moving exploits like React2Shell.

React advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

For the latest advisories and technical details, visit Cohesity REDLab.