Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

GTIG reports active, widespread exploitation of a critical unauthenticated RCE in React Server Components (CVE-2025-55182 / “React2Shell”) enabling remote code execution; multiple threat clusters—ranging from opportunistic cybercriminals to China‑nexus espionage groups—have used the flaw to deploy tunnellers (MINOCAT), downloaders (SNOWLIGHT), backdoors (HISONIC, COMPOOD), and XMRIG miners, with observed persistence mechanisms, diverse payload formats, and global impact on unpatched React/Next.js workloads.