React2Shell to real-world breach: How an unpatched dev server led to a Windows compromise

React2Shell (CVE-2025-55182) is a critical (CVSS 10.0) RCE in React server components allowing unauthenticated command execution via crafted HTTP POST requests; in observed incidents attackers exploited unpatched IIS development servers to attempt cryptojacking with xmrig, used Linux-to-Windows pivoting, attempted persistence via AnyDesk and PowerShell shells, and employed evasion techniques. The report includes IOCs (hashes, IPs, domains, commands), analysis of deployment/evasion scripts, and remediation recommendations such as immediate patching, application allowlisting, and least-privilege service accounts.