React2Shell exploitation spreads as Microsoft counts hundreds of hacked machines
Summary
Microsoft reports that attackers have already compromised “several hundred machines” by exploiting CVE-2025-55182 — dubbed React2Shell — a critical flaw in React Server Components that permits arbitrary code execution on vulnerable backends. Exploitation has moved beyond proof-of-concept: adversaries are running commands, dropping malware (including memory-resident downloaders and cryptominers) and, in some incidents, deploying ransomware. Multiple security teams (Microsoft, GreyNoise, Palo Alto Networks, S-RM) describe rapid, large-scale abuse across sectors and regions, with many vulnerable instances still unpatched. Microsoft urges immediate patching, auditing of React Server Component deployments and vigilant monitoring for signs of compromise.
Key Points
- Microsoft confirms “several hundred” compromised systems via CVE-2025-55182 (React2Shell).
- The React Server Components flaw allows attackers to execute arbitrary commands on exposed JavaScript application backends.
- Attackers have used the access to drop memory-based downloaders, cryptominers and, in some cases, deploy ransomware (S-RM observed real-world ransomware follow-on activity).
- Threat intelligence (GreyNoise, Palo Alto) reports sustained, industrial-scale exploitation since public disclosure.
- An estimated large share of cloud environments are vulnerable and roughly half of exposed React instances remain unpatched.
- Microsoft’s recommended mitigations: apply available patches, audit exposed deployments and monitor networks and application logs for suspicious activity.
Context and relevance
React Server Components are widely adopted to improve server-side rendering and performance, which increases the blast radius when a critical bug appears. Because the vulnerability sits in web application infrastructure, successful exploitation gives attackers a stealthy initial access path that blends with normal app traffic — ideal for lateral movement and payload delivery. This incident highlights a recurring trend: popular web frameworks becoming prime targets for large-scale automated scanning and mass exploitation when flaws are disclosed.
Why should I read this?
Short version: if you run React Server Components anywhere, this is one you can’t ignore. Patch, check your deployments and hunt for odd app traffic — attackers are already using the bug to push malware and ransomware. Read this so you can act before your stack becomes part of someone else’s crypto‑mining farm or ransom note.
Author style
Punchy: this is high‑impact and fast‑moving — mass compromise plus ransomware means it’s not just a developer headache, it’s a real operational risk. If you manage web apps or cloud services, the details matter: patching and audit steps can stop a compromise turning into an incident.