top of page
perceptive_background_267k.jpg

Critical React2Shell flaw exploited in ransomware attacks

Published:

17 December 2025 at 16:09:51

Alert date:

17 December 2025 at 17:01:15

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Zero-Day Vulnerabilities

A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks. The attackers deployed file-encrypting malware less than a minute after gaining access through the vulnerability. This represents an active exploitation of a critical vulnerability being used for ransomware attacks, indicating immediate threat to organizations using affected React components.

Technical details

React2Shell is an insecure deserialization issue in React Server Components (RSC) 'Flight' protocol used by React library and Next.js framework. It can be exploited remotely without authentication to execute JavaScript code in server context. In the attack, threat actors deployed Weaxor ransomware within minutes of gaining initial access through React2Shell. Attack flow: executed obfuscated PowerShell command deploying Cobalt Strike beacon for C2 communication, disabled Windows Defender real-time protection, launched ransomware payload. Files encrypted with '.WEAX' extension, ransom notes named 'RECOVERY INFORMATION.txt' placed in affected directories. Attackers wiped volume shadow copies and cleared event logs to hinder forensic analysis.

Mitigation steps:

Review Windows event logs and EDR telemetry for evidence of process creation from binaries related to Node or React. Monitor for process spawning of cmd.exe or powershell.exe from node.exe as strong indicator of React2Shell exploitation. Investigate unusual outbound connections, disabled security solutions, log clearing, and resource spikes. Note that patching alone is not sufficient - continuous monitoring is required.

Affected products:

React Server Components
React library
Next.js framework
Node.js

Related links:

https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/
https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/
https://www.bleepingcomputer.com/news/security/google-links-more-chinese-hacking-groups-to-react2shell-attacks/
https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/
https://www.bleepingcomputer.com/news/security/microsoft-sql-servers-hacked-in-targetcompany-ransomware-attacks/
https://www.s-rminform.com/latest-thinking/react2shell-used-as-initial-access-vector-for-weaxor-ransomware-deployment

Related CVE's:

Related threat actors:

IOC's:

.WEAX file extension, RECOVERY INFORMATION.txt ransom note filename, Process spawning of cmd.exe or powershell.exe from node.exe, Unusual outbound connections, Disabled security solutions, Log clearing, Resource spikes, Obfuscated PowerShell commands, Cobalt Strike beacon deployment

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page