Google Finds Server Takeovers Linked to React2Shell Exploitation

Google is warning that multiple threat actor groups are actively exploiting a critical vulnerability in React Server Components, allowing attackers to take full control of vulnerable servers without authentication. 

The flaw, known as React2Shell, has quickly become a high-value target following its public disclosure, with attackers ranging from nation-state espionage groups to financially motivated cybercriminals.

The “… number of legitimate exploits and their capabilities have massively expanded, including in-memory Next.js web shell deployment capabilities,” said Google researchers.

React2Shell Carries Critical Risk

React2Shell, tracked as CVE-2025-55182, affects specific versions of React Server Components and Next.js — frameworks that underpin a significant portion of modern web applications. 

Because exploitation does not require authentication, any internet-facing, unpatched application using affected versions may be immediately exposed to remote compromise. The vulnerability carries a CVSS score of 10.0.

Google’s full advisory details how multiple threat groups are abusing the flaw to deploy malware across unpatched environments, underscoring the urgent need for organizations to review their React and Next.js deployments.

Threat Actors Leveraging React2Shell

Google researchers have identified several active campaigns exploiting React2Shell shortly after disclosure. 

China-linked espionage groups are among the most advanced actors observed. 

One group, tracked as UNC6600, has used the vulnerability to deploy the MINOCAT tunneler, a tool designed to maintain stealthy, long-term access to compromised networks.

Another group, UNC6603, has been observed deploying an updated variant of the HISONIC backdoor, which blends its command-and-control (C2) traffic into legitimate cloud services such as Cloudflare. 

This technique allows attackers to hide malicious activity within normal network traffic, complicating detection and response.

Financially motivated attackers are also exploiting the flaw. In at least one confirmed case, threat actors used React2Shell to install the XMRig cryptocurrency miner, hijacking server resources to generate cryptocurrency. 

Additional malware families observed in the campaigns include the SNOWLIGHT downloader, which pulls in secondary payloads, and the COMPOOD backdoor, commonly used for data theft and persistent access.

Why React2Shell Is High Risk

React2Shell stems from a flaw in how React Server Components handle server-side rendering logic, enabling attackers to execute arbitrary commands remotely. 

Because the vulnerability does not require valid credentials, it bypasses traditional access controls entirely.

The risk has increased further as Google confirmed that functional exploit code is now publicly available. 

While some early proof-of-concept (PoC) exploits were incomplete or non-functional, reliable tools capable of installing in-memory web shells are now circulating. 

This dramatically lowers the barrier to entry for attackers and increases the likelihood of widespread exploitation.

The combination of unauthenticated access, maximum severity, and publicly available exploit code makes React2Shell particularly dangerous for organizations that delay patching.

Layered Defenses for React2Shell

Security teams should assume attackers may already be attempting or have achieved initial access. 

Effective response requires a layered approach that combines rapid remediation, enhanced detection, and containment controls.

• Immediately identify affected React server components or Next.js deployments and apply the latest security patches.
• Review application and server logs for suspicious command execution, outbound connections, and abnormal resource usage.
• Deploy WAF, RASP, and runtime monitoring to detect exploitation attempts, in-memory web shells, and Node.js abuse.
• Enforce least-privilege execution, container hardening, and segmentation to limit post-exploitation impact.
• Restrict outbound network traffic and monitor DNS and egress activity to disrupt payload delivery and command-and-control.
• Assume potential compromise by hunting for persistence, rebuilding affected systems, and rotating exposed credentials.

Together, these measures help security teams reduce exposure, detect active exploitation, and contain the blast radius if attackers gain a foothold.

How Shared Frameworks Amplify Risk

The rapid exploitation of React2Shell underscores a familiar challenge in modern software development: vulnerabilities in widely used frameworks can quickly introduce broad risk across many environments. 

Because these frameworks are often deeply integrated into production applications and deployment pipelines, a single flaw can affect thousands of organizations simultaneously.  

This pattern reflects a broader software supply chain security challenge, where shared dependencies and build systems can amplify the impact of a single vulnerability across countless downstream environments.