Initially disclosed on December 3, 2025, the vulnerability carries a CVSS v3.x score of 10.0 and affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
Google warns that hundreds of exposed systems using frameworks such as Next.js remain vulnerable, allowing attackers to execute arbitrary code on servers via a crafted HTTP request.
The flaw stems from how React decodes payloads sent to React Server Function endpoints, permitting remote attackers to gain code execution privileges without authentication.
GTIG observed several active campaigns exploiting this flaw to deploy backdoors, tunneling utilities, and cryptocurrency miners.
Even systems that host vulnerable React packages without direct use of server functions can still be exploited.
GTIG reports that China-nexus threat clusters such as UNC6600, UNC6586, UNC6588, and UNC6603 are leveraging the React2Shell vulnerability in targeted intrusions.
UNC6600 deployed a tunneling tool, MINOCAT, that establishes persistence via cron jobs and systemd services.
Another actor, UNC6586, used the flaw to deliver the SNOWLIGHT downloader, which connects to the command-and-control domain reactcdn windowserrorapis [.]com to retrieve further payloads.
In other campaigns, the COMPOOD backdoor was distributed via malicious scripts masquerading as system utilities.
At the same time, HISONIC, a Go-based implant utilizing encrypted configurations hosted on Cloudflare Pages and GitLab, was deployed against cloud infrastructure in the Asia-Pacific region.
GTIG also identified ANGRYREBEL.LINUX, malware disguised as the SSH daemon, using anti-forensic measures like timestomping and history cleaning.
Financially motivated attackers have also joined the wave of exploitation. Beginning December 5, GTIG observed incidents involving XMRig cryptocurrency miners, downloaded via a malicious script named sex.sh, which created persistence using a fake systemd service titled “system-update-service.”
Google warns that several exploit repositories, some functional, some fake, are circulating online, increasing risk for defenders and researchers alike.
Organizations are urged to upgrade to React versions 19.0.1, 19.1.2, or 19.2.1 or later, deploy interim Cloud Armor WAF rules, and monitor for anomalies such as hidden directories ($HOME/.systemd-utils) and suspicious outbound traffic.
Indicators of compromise tied to these campaigns include IP addresses such as 45.76.155[.]14, 82.163.22[.]139, and SHA256 samples for MINOCAT, COMPOOD, and SNOWLIGHT, shared publicly via GTIG’s VirusTotal threat intelligence collection.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Multiple Hacker Groups Exploit React2Shell Vulnerability for Malware Deployment, Google Alerts appeared first on Cyber Security News.
FORT WAYNE, IND. (WOWO) Fort Wayne police are detailing traffic enforcement activity from the first…
It’s back, friends. One of the most popular Amazon sales is back in full swing.…
While today I may have shelf after shelf dedicated to the glorious hobby of board…
Overwatch will be looking to continue its resurgence ever since ditching the “2” and refocusing…
Long-awaited cyberpunk cinematic platformer Replaced is out today on PC and Xbox, but comes packed…
50 Years Ago The Massachusetts Public Interest Research Group (Mass-PIRG) has criticized the Northampton Small…
This website uses cookies.