Microsoft warns that attackers are actively exploiting the React2Shell vulnerability (CVE-2025-55182) in React Server Components, compromising hundreds of machines across diverse organizations to execute code, deploy malware, and deliver ransomware. Exploitation has moved beyond proof-of-concept, with attackers using the flaw to run commands, drop malware, and pivot within victim environments, often camouflaging their activity. The company's findings indicate a rapid increase in exploitation attempts after public disclosure, leading to malware deployment including downloaders and cryptominers. Security firms are confirming real-world intrusions using React2Shell as the initial access vector, including ransomware deployment.
Microsoft says attackers have already compromised"several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in some cases, deliver ransomware.
, Redmond said attackers are actively exploiting CVE-2025-55182, better known as React2Shell, a critical flaw in React Server Components that can be abused to run arbitrary code on vulnerable servers. According to Microsoft's threat intelligence team, exploitation has already spread well beyond the proof-of-concept stage, with hundreds of compromised systems confirmed across multiple sectors and regions. The company said attackers are abusing the flaw to run arbitrary commands, drop malware, and pivot deeper into victim environments, often blending the activity into legitimate-looking application traffic., when researchers warned the React Server Components bug could be exploited to execute attacker-controlled code. The bug was quickly chained to other weaknesses and misconfigurations, withthat probed exposed servers at scale. A separate wave of disclosures days later revealed additional"SecretLeak" bugs in React tooling, further rattling developers who had only just begun to understand the blast radius of React2Shell. Microsoft's latest findings suggest exploitation attempts ramped up rapidly after public disclosure, with attackers using successful exploits to push malware – including memory-based downloaders and cryptominers – onto exposed JavaScript application backends. Other threat intelligence teams are seeing the same thing on the ground. Security firm S-RM said it has already responded to a real-world intrusion in which React2Shell was used as the initial access vector to breach a corporate network and deploy ransomware. "This is the first time S-RM has observed this vulnerability being used by financially motivated threat actors to facilitate a cyber extortion attack, and highlights an escalation in the known impact of this vulnerability compared to other public reporting, which has so far primarily documented instances of the vulnerability being used to introduce backdoor malware or cryptominers,""React2Shell continues to pop off by our count at GreyNoise Intelligence," Morris said."We continue to stack a pretty hefty number of distinct malware payloads. Exploitation is still very high with the number of cumulative networks exploiting this vuln reaching all-time highs almost every single day since disclosure." The scale reflects how widely React Server Components have been adopted. Designed to offload rendering work to the server to improve performance, the technology is now embedded in countless production apps, with one estimate suggesting that 39 percent of cloud environments are vulnerable to the React2Shell flaw. The exact number of known React2Shell victims is not yet known, but Palo Alto Networks has confirmed that more than 50 organizations have so far been compromised. However, the true figure is likely much higher, as researchers warned last week that For organizations still scrambling to respond, Microsoft urged teams to apply available patches, audit exposed React Server Component deployments, and monitor for signs of exploitation. With exploitation still surging and patching incomplete, React2Shell remains wide open for abuse. ®Customers in 10 of the company’s 23 regions had “operations fail or take an extended amount of time to complete.”Isaacman finally confirmed as NASA boss after Trump derailed first attempt
React2shell Vulnerability Exploitation Malware Ransomware
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Weight loss drug ads banned in UK for 'exploiting insecurities'The ban comes after ads promoting the medicines 'targeted new mums' and 'exploited insecurities about body image'
Read more »
Tears as relative of youngest victim of Bondi Beach shooting hits out at 'evil' attackersMatilda's aunt Lina Chernykh describes her niece as 'friendly and happy, and with a lot of friends' and says the gunmen who went on the rampage 'must never have had love'.
Read more »
Ashy Bines Slammed for Allegedly Exploiting Bondi Terror Attack for PromotionFitness influencer Ashy Bines faced backlash after social media users accused her of using the Bondi terror attack to promote her wellbeing podcast and program. Critics condemned her for mentioning her subscription service in a post addressing the emotional impact of the attacks.
Read more »
Microsoft: Attackers Exploit React2Shell Flaw, Compromising Hundreds of SystemsMicrosoft warns that attackers are actively exploiting the React2Shell vulnerability, CVE-2025-55182, to compromise hundreds of systems across various organizations. Attackers are using the flaw to execute code, deploy malware, and, in some instances, deliver ransomware. Exploitation has moved beyond the proof-of-concept stage, with confirmed breaches across multiple sectors and regions. Microsoft's findings suggest a rapid increase in exploitation attempts after public disclosure, leading to malware deployment on vulnerable systems.
Read more »
Jassy taps 27-year Amazon veteran to run AGI org, which is now definitely a thing that exists: Amazon bets that by making AI its own group, it can outpace Microsoft and Google
Read more »
Another bad week for SonicWall as SMA 1000 zero-day under active exploit: Flaw in remote-access appliance lets attackers chain bugs for root-level takeover
Read more »