React2Shell exploitation spreads as Microsoft counts hundreds of hacked machines

Security boffins warn flaw is now being used for ransomware attacks against live networks

Microsoft says attackers have already compromised "several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in some cases, deliver ransomware.

In a blog post this week, Redmond said attackers are actively exploiting CVE-2025-55182, better known as React2Shell, a critical flaw in React Server Components that can be abused to run arbitrary code on vulnerable servers.

According to Microsoft's threat intelligence team, exploitation has already spread well beyond the proof-of-concept stage, with hundreds of compromised systems confirmed across multiple sectors and regions.

The company said attackers are abusing the flaw to run arbitrary commands, drop malware, and pivot deeper into victim environments, often blending the activity into legitimate-looking application traffic.

React2Shell first burst into the open earlier this month, when researchers warned the React Server Components bug could be exploited to execute attacker-controlled code. The bug was quickly chained to other weaknesses and misconfigurations, with early campaigns linked to China and Iran-nexus threat activity that probed exposed servers at scale. A separate wave of disclosures days later revealed additional "SecretLeak" bugs in React tooling, further rattling developers who had only just begun to understand the blast radius of React2Shell.

Microsoft's latest findings suggest exploitation attempts ramped up rapidly after public disclosure, with attackers using successful exploits to push malware – including memory-based downloaders and cryptominers – onto exposed JavaScript application backends.

Other threat intelligence teams are seeing the same thing on the ground. Security firm S-RM said it has already responded to a real-world intrusion in which React2Shell was used as the initial access vector to breach a corporate network and deploy ransomware.

"This is the first time S-RM has observed this vulnerability being used by financially motivated threat actors to facilitate a cyber extortion attack, and highlights an escalation in the known impact of this vulnerability compared to other public reporting, which has so far primarily documented instances of the vulnerability being used to introduce backdoor malware or cryptominers," the company said.

Telemetry also points to industrial-scale abuse. Andrew Morris, founder of GreyNoise, wrote on LinkedIn that exploitation remains intense weeks after disclosure.

"React2Shell continues to pop off by our count at GreyNoise Intelligence," Morris said. "We continue to stack a pretty hefty number of distinct malware payloads. Exploitation is still very high with the number of cumulative networks exploiting this vuln reaching all-time highs almost every single day since disclosure."

The scale reflects how widely React Server Components have been adopted. Designed to offload rendering work to the server to improve performance, the technology is now embedded in countless production apps, with one estimate suggesting that 39 percent of cloud environments are vulnerable to the React2Shell flaw. 

The exact number of known React2Shell victims is not yet known, but Palo Alto Networks has confirmed that more than 50 organizations have so far been compromised. However, the true figure is likely much higher, as researchers warned last week that half of the systems vulnerable to the bug remain unpatched.

For organizations still scrambling to respond, Microsoft urged teams to apply available patches, audit exposed React Server Component deployments, and monitor for signs of exploitation. With exploitation still surging and patching incomplete, React2Shell remains wide open for abuse. ®