Pretty much every site on our network has been scanned and attempted to be exploited so far for CVE-2025-55182 (React2Shell)

If you didn't patch over the weekend, it might be safe to consider it compromised.

First attempt I see on the logs was on:

2025-12-03 21:00:24 18.182.x.z 403 "POST /_next/static/chunks/react-flight HTTP/1.1" "-" "Mozilla/5.0 (CVE-2025-55182 PoC)"

Before most people were even ware of it.

New telemetry from AWS shows exploit attempts against React2Shell (CVE-2025-55182, CVSS 10) starting within hours of disclosure, coming from infrastructure associated with two long-tracked China-linked clusters. Activity includes discovery commands, file writes, and probing other N-days.

Cloudflare’s brief outage during mitigations further highlights how fast large platforms now respond to critical RCEs.

Source: https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/

💬 How do we realistically defend against same-day exploitation?
👍 Follow us for more detailed cyber reports.

#React2Shell #CVE202555182 #CyberSecurity #ThreatIntel #AppSec #WebSecurity #CloudSecurity #InfoSec

CVE-2025-55182 (Next.js)を悪用した攻撃はついに拡張機能による自動的な攻撃ができるレベルに。

Exec じゃあないんですよ

For those trying to determine React2Shell exposure: a reminder that Nuclei exists and this is the perfect use case.
https://docs.projectdiscovery.io/opensource/nuclei/overview

Test is in the templates repo: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-55182.yaml

~290 unique IPs now for React2Shell opportunistic activity.

These persistent IPs:

- 45[.]61[.]157[.]12
- 144[.]31[.]5[.]11
- 174[.]138[.]2[.]203
- 95[.]214[.]52[.]170
- 192[.]159[.]99[.]95
- 149[.]50[.]96[.]133

are responsible for ~78% (~218K) total React2Shell sessions we've seen since the start.

Moar charts/tables here: https://rud.is/r2s/r2s.html / https://viz.greynoise.io/tags/react-server-components-unsafe-deserialization-cve-2025-55182-rce-attempt?days=10

🚨 In this week’s Threat Alert article, we’re tracking the explosive rise of React2Shell (CVE-2025-55182) attacks. The CrowdSec Network has observed 15,725+ signals in 4 days, a single-day peak of 8,925, and 381 unique IPs already weaponizing the flaw.

Read the full analysis and protect your systems 👉 https://www.crowdsec.net/vulntracking-report/cve-2025-55182

#CVE #React2Shell #CVE202555182 #threatalert #cybersecurity

Remember when we learned to carefully filter user input, especially before executing that input, and ESPECIALLY when we also learned that deserializing an object from user input had BETTER not have a dangerous constructor? In like 2002?

THAT WAS COOL.

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

@jssfr AFAIK, the affected packages are react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack → https://www.cve.org/CVERecord?id=CVE-2025-55182

AFAIK, Mastodon doesn't depend on these packages → https://github.com/mastodon/mastodon/blob/main/package.json

cc @renchap

Najdi pět rozdílů:

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

https://en.wikipedia.org/wiki/Great_Famine_(Ireland)#Potato_dependency

Mindst 2 stats-aktører udnytter en nyligt afsløret sårbarhed i React-frame-workets server-komponenter.

..begyndte få timer efter, at sårbarheden, CVE-2025-55182 kaldet React2Shell, fra sidste onsdag

.. angriberne brugte anonymiserende proxy-servere og udnyttede andre sårbarheder. Angrebene anvendte private exploits
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

Reach2Shell har en enorm indflydelse. Ifølge Stack Overflow-udvikler-undersøgelsen 2025 bruger mere end ½ af web-udviklere React
https://survey.stackoverflow.co/2025/technology

Researchers have identified over 30 organizations affected by the React2Shell vulnerability (CVE-2025-55182), which is being exploited by an initial access broker linked to China's Ministry of State Security (MSS). The attacks involve stealing credentials and installing malware, with widespread scanning for the critical vulnerability observed globally.
https://therecord.media/researchers-track-dozens-react2shell-vuln

Two Chinese APTs, Earth Lamia and Jackpot Panda, are actively exploiting the React2Shell vulnerability (CVE-2025-55182) in React's server components, with attacks beginning within hours of its disclosure. This critical vulnerability, rated 10/10, impacts the deserialization process and allows attackers to execute malicious commands without authentication, posing a significant risk due to React's widespread use in web development.
https://risky.biz/risky-bulletin-apts-go-after-the-react2shell-vulnerability-within-hours/

🚨 React2Shell (CVE‑2025‑55182) in‑the‑wild exploitation & deep‑dive analysis. Critical RCE across React 19, Next.js & all RSC frameworks. Patch now.
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive

CVE-2025-55182: real shit
sees myself still using react 18 due to issues: I sleep

#thisshitissoass #security #react

React Developers: There is a serious vulnerability in React and Next.JS (CVE-2025-55182 / CVE-2025-66478). It affects those using React for the BACKEND (RSC and React Server Functions). It is similar in damage and exploit to log4j. Please upgrade asap.

https://twp.ai/4isUGk

🚨CVE-2025-66516: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

Scanner: https://github.com/Ashwesker/Blackash-CVE-2025-66516

CVSS: 10
Vendor/Product: Apache Tika

Affected modules:

▪️Apache Tika Core: org.apache.tika:tika-core versions 1.13 through 3.2.1
▪️Apache Tika Parsers: org.apache.tika:tika-parsers versions 1.13 before 2.0.0, In 1.x releases, the PDFParser was bundled in this module.
▪️Apache Tika PDF Parser Module: org.apache.tika:tika-parser-pdf-module versions 2.0.0 through 3.2.1

Advisory: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Defer to @todb on this as CVE expert(tm) but shouldn't CVE-2025-66516 have been an update of CVE-2025-54988? It's the same vulnerability.

https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

https://www.cve.org/CVERecord?id=CVE-2022-37055 was added to the KEV Catalog.

cc: @Dio9sys @da_667

#internetOfShit

🚨CISA Kev Catalog has added two more vulnerabilities

CVE-2022-37055: D-Link Routers Buffer Overflow Vulnerability

CVSS: 9.8

CVE-2025-66644: Array Networks ArrayOS AG OS Command Injection Vulnerability

CVSS: 7.1

https://darkwebinformer.com/cisa-kev-catalog/

🚨 CRITICAL: CVE-2025-27020 hits Infinera MTC-9 (R22.1.1.0275<R23.0). Missing SSH auth lets attackers run commands & access data. Upgrade to R23.0+ and restrict SSH immediately. https://radar.offseq.com/threat/cve-2025-27020-cwe-306-missing-authentication-for--156b66fd #OffSeq #Vulnerability #Infosec #NetworkSecurity

Infinera yikes.

https://www.cve.org/CVERecord?id=CVE-2025-27020

Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system\n\n.\n\n\nThis issue affects MTC-9: from R22.1.1.0275 before R23.0.

and

https://www.cve.org/CVERecord?id=CVE-2025-27019

Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows\n an attacker to utilize password-less user accounts and obtain \nsystem access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.

React Developers: There is a serious vulnerability in React and Next.JS (CVE-2025-55182 / CVE-2025-66478). It affects those using React for the BACKEND (RSC and React Server Functions). It is similar in damage and exploit to log4j. Please upgrade asap.

https://twp.ai/4isUGk

📰 SharePoint Flaw Chain Exploited to Deploy Warlock Ransomware

Ransomware alert: Storm-2603 exploits SharePoint flaws (CVE-2025-49706) to deploy Warlock ransomware. Attackers abuse the legitimate DFIR tool 'Velociraptor' to evade detection. Patch SharePoint now! ⚠️ #Ransomware #SharePoint #LotL

🔗 https://cyber.netsecops.io/articles/sharepoint-flaws-chained-to-deliver-warlock-ransomware/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

Microsoft har i al stilhed rettet en #0day sårbarhed i Windows LNK-fil-formatet

Sårbarheden, CVE-2025-9491, er blevet udnyttet af 22 hackergrupper siden sidste år

Rettelserne er blevet udrullet i små portioner siden juni

Microsoft afviste oprindeligt at rette problemet, efter at de blev underrettet om angrebene
https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html

Tenda Mentioned

https://www.cve.org/CVERecord?id=CVE-2025-65804

cc: @Dio9sys @da_667

#internetOfShit

Ruijie

https://www.cve.org/CVERecord?id=CVE-2025-65363

cc: @Dio9sys @da_667

#internetOfShit