Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more

Security Advisory: React2Shell (CVE-2025-55182) - Critical RCE Vulnerability

A critical vulnerability affecting React Server Components (RSC) is being actively exploited. Here's what to look for and what to do next.

December 12, 2025
Watch now
Tech Brief Vulnerability Assessment Incident Response & Forensics

A critical vulnerability affecting React Server Components (RSC) is being actively exploited. On December 03, 2025, CVE-2025-55182 (nicknamed React2Shell) was publicly disclosed with a CVSS score of 10.0. Within hours, multiple China-nexus threat groups began targeting vulnerable applications.

This vulnerability affects:

  • React 19.x
  • Next.js 15.x and 16.x (when using App Router)
  • Other frameworks using RSC (Waku, Vite with RSC plugins)

Even applications that do not explicitly use server functions are vulnerable if they support RSC.

What Makes This Serious

The vulnerability allows unauthenticated remote code execution (RCE) through improper deserialization. What caught our attention is how quickly adversaries moved—exploitation attempts were observed in honeypots within hours of disclosure. We have seen everything from reconnaissance activity and credential harvesting to cryptominers and sophisticated backdoors using Sliver implants.

Detection Guidance

Linux Audit Configuration

If you are running vulnerable applications on Linux servers, these audit rules will help you catch suspicious activity. Bellow is a breakdown of the rule file we are providing for easier download and leverage from our GitHub in the repository https://github.com/trustedsec/defensive-scripts/tree/main/React2Shell.

Monitor execution of reconnaissance commands commonly used post-exploitation:

-w /usr/bin/whoami -p x -k recon_commands
-w /usr/bin/id -p x -k recon_commands
-w /usr/bin/uname -p x -k recon_commands
-w /bin/hostname -p x -k recon_commands

Watch for unauthorized access to sensitive files:

Monitor modifications to shell configuration files (persistence technique):

-w /root/.bashrc -p wa -k shell_config_change
-w /root/.bash_profile -p wa -k shell_config_change
-w /root/.profile -p wa -k shell_config_change
-w /root/.zshrc -p wa -k shell_config_change
-w /root/.zprofile -p wa -k shell_config_change
-w /home/*/.bashrc -p wa -k shell_config_change
-w /home/*/.bash_profile -p wa -k shell_config_change
-w /home/*/.profile -p wa -k shell_config_change
-w /home/*/.zshrc -p wa -k shell_config_change
-w /home/*/.zprofile -p wa -k shell_config_change
-w /etc/profile -p wa -k shell_config_change
-w /etc/bash.bashrc -p wa -k shell_config_change
-w /etc/zsh/zshrc -p wa -k shell_config_change

Track cron job creation and modification (common persistence mechanism):

-w /etc/crontab -p wa -k cron_modification
-w /etc/cron.d/ -p wa -k cron_modification
-w /etc/cron.daily/ -p wa -k cron_modification
-w /etc/cron.hourly/ -p wa -k cron_modification
-w /etc/cron.monthly/ -p wa -k cron_modification
-w /etc/cron.weekly/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification
-w /var/spool/cron/crontabs/ -p wa -k cron_modification

# Monitor crontab command usage
-w /usr/bin/crontab -p x -k crontab_execution

Monitor suspicious file writes in common staging locations:

-w /tmp/ -p wa -k tmp_writes
-w /var/tmp/ -p wa -k tmp_writes
-w /dev/shm/ -p wa -k shm_writes

Track spawning of shells by Node.js processes (adjust path to your Node installation):

-a exit,always -F arch=b64 -S execve -F exe=/usr/bin/node -k node_shell_spawn

Monitor attempts to access cloud metadata services:

-w /proc/net/arp -p r -k cloud_metadata
-a always,exit -F arch=b64 -S socket -F a0=2 -F success=1 -k outbound_connection

Watch for common post-exploitation tools:

-w /usr/bin/nc -p x -k netcat_exec
-w /usr/bin/ncat -p x -k netcat_exec
-w /usr/bin/curl -p x -k web_tools
-w /usr/bin/wget -p x -k web_tools

Monitor base64 operations (often used for payload encoding):

-w /usr/bin/base64 -p x -k encoding_tools

Watch for systemd service manipulation (another persistence technique):

-w /etc/systemd/system/ -p wa -k systemd_modification
-w /usr/lib/systemd/system/ -p wa -k systemd_modification
-w /home/*/.config/systemd/user/ -p wa -k systemd_user_modification

After adding these rules to /etc/audit/rules.d/react2shell.rules, load them:

auditctl -R /etc/audit/rules.d/react2shell.rules

Sigma Rules for Exploitation Detection

TrustedSec is providing the following Sigma rules in the GitHub repository to aid you in building detections leveraging the audit file also provided in the repository:

  • react2shell_http_exploitation.yml - Detects HTTP exploitation attempts via POST requests with React Server Action payloads
  • react2shell_suspicious_node_execution.yml - Identifies suspicious commands spawned by Node.js processes
  • react2shell_file_credential_access.yml - Catches post-exploitation file and credential access patterns
  • react2shell_cloud_metadata_access.yml - Detects attempts to access AWS/cloud metadata services
  • react2shell_shell_config_modification.yml - Monitors shell configuration file modifications for persistence
  • react2shell_cron_creation.yml - Detects cron job creation/modification by Node.js processes
  • react2shell_suspicious_crontab.yml - Identifies suspicious crontab command patterns
  • etherrat_dropper_download.yml - Detects EtherRAT dropper script downloads with fallback methods
  • etherrat_ethereum_rpc_c2.yml - Identifies EtherRAT's blockchain-based C2 communication
  • etherrat_nodejs_download.yml - Catches suspicious Node.js runtime downloads to unusual locations
  • etherrat_multi_persistence.yml - Detects simultaneous creation of multiple persistence mechanisms

Immediate Actions

If you are running React 19.x or Next.js 15.x/16.x in your environment:

  • Patch immediately—update to the latest patched versions.
  • Deploy the detection rules above to start hunting for indicators.
  • Review your logs for POST requests with next-action or rsc-action-id headers.
  • Check for unexpected process execution spawned by Node.js applications.
  • Look for reconnaissance activity, inclduing commands like whoami, id, and uname from application processes.
  • Audit shell configuration files, checking .bashrc, .bash_profile, .profile, and .zshrc for unauthorized modifications.
  • Review cron jobs and examine all crontabs for suspicious entries:
# List all user crontabs
   for user in $(cut -f1 -d: /etc/passwd); do 
       echo "=== Crontab for $user ==="
       crontab -u $user -l 2>/dev/null
   done
   
   # Check system-wide cron files
   cat /etc/crontab
   ls -la /etc/cron.d/
   ls -la /etc/cron.daily/
   ls -la /etc/cron.hourly/
   ls -la /var/spool/cron/crontabs/

Known Threat Actor Infrastructure

Be on the lookout for connections to or from these indicators:

  • 206.237.3[.]150 (Earth Lamia)
  • 45.77.33[.]136 (Jackpot Panda)
  • 143.198.92[.]82
  • 183.6.80[.]214
  • Domains: anywherehost[.]site, inerna1[.]site, keep.camdvr[.]org

We're Here to Help

If you discover any suspicious activity that might indicate exploitation, or if you would like assistance reviewing your environment for exposure, the TrustedSec Incident Response team is available to help. If you would like to ensure that you have proper coverage of events and have alerts to detect these types of behaviors, our Purple Team is also available to help ensure that you are properly covered by a robust audit policy, event sources are ingested, and your SIEM is configured to alert on these indicators.

We are monitoring this threat closely and will provide updates as the situation develops.

If you need help and are interested in TrustedSec's Incident Response or other security services, please feel free to contact us!

Stay secure,
TrustedSec Incident Response Team

Watch the Video Breakdown