React2Shell exploitation continues to escalate, posing 'significant risk'

Several hundred machines already compromised, Microsoft says

News By Sead Fadilpašić published 19 December 2025

(Image credit: Getty Images) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• React2Shell (CVE‑2025‑55182) exploited to compromise hundreds of systems worldwide
• China‑linked groups and North Korea abuse flaw for persistence, espionage, and cryptomining
• Patch immediately to React versions 19.0.1, 19.1.2, or 19.2.1.

React2Shell, a critical severity vulnerability in React Server Components (RCS), was already used to compromise “several hundred machines across a diverse set of organizations”.

This is according to Microsoft, whose latest blog post discusses the vulnerability and how to defend against incoming attacks.

In early December, the React team published a security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting RCS. The bug, now dubbed “React2Shell”, is tracked as CVE-2025-55182, and is given a severity score of 10/10 (critical).

Arbitrary commands, droppers, and cryptominers

Given that React is one of the most popular JavaScript libraries out there, powering much of today’s internet, researchers warned that exploitation was imminent, urging everyone to apply the fix without delay and update their systems to versions 19.0.1, 19.1.2, and 19.2.1.

Now, Microsoft says these warnings have come true, as numerous threat actors have abused the flaw to run arbitrary commands, drop malware, and move laterally throughout the target infrastructure, successfully blending with other legitimate traffic.

Redmond also stressed that the number of attacks increased after React publicly disclosed the findings, as more threat actors moved in to deploy memory-based downloaders and cryptominers.

Two weeks ago, Amazon Web Services (AWS) reported that two China-linked groups, Earth Lamia and Jackpot Panda, have been seen using the bug to target organizations in different verticals.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors