Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).

#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity

❗ Aktualizujcie swoje UMAMI, pisaliśmy o nich niedawno. Podatność React:

"Podatność CVE-2025-55182, dotycząca RSC, występuje w wersjach 19.0, 19.1.0, 19.1.1 oraz 19.2.0 następujących modułów:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack"

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

React2Shell sfruttata da Lazarus? Nasce EtherRAT, il malware che vive sulla blockchain

Appena due giorni dopo la scoperta della vulnerabilità critica di React2Shell, i ricercatori di Sysdig hanno scoperto un nuovo malware, EtherRAT, in un’applicazione Next.js compromessa. Il malware utilizza gli smart contract di Ethereum per la comunicazione e ottiene persistenza sui sistemi Linux in cinque modi.

Gli esperti ritengono che il malware sia correlato agli strumenti utilizzati dal gruppo nordcoreano Lazarus. Tuttavia, EtherRAT differisce dai campioni noti per diversi aspetti chiave.

React2Shell (CVE-2025-55182) è una vulnerabilità critica nella popolare libreria JavaScript React di Meta.Il problema, che ha ricevuto un punteggio CVSS di 10 su 10, è correlato alla deserializzazione non sicura dei dati nei componenti di React Server e consente l’esecuzione di codice remoto sul server utilizzando una normale richiesta HTTP (senza autenticazione o privilegi).

Il bug riguarda le ultime versioni 19.0, 19.1.0, 19.1.1 e 19.2.0 nelle configurazioni predefinite, nonché il famoso framework Next.js. Le correzioni sono state rilasciate nelle versioni 19.0.1, 19.1.2 e 19.2.1 di React, nonché per le versioni di Next.js interessate.

Gli esperti avvertono che potrebbero verificarsi problemi simili in altre librerie con implementazioni di React Server, tra cui: plugin Vite RSC, plugin Parcel RSC, anteprima di React Router RSC, RedwoodSDK e Waku.

La vulnerabilità è già stata sfruttata dai gruppi di hacker cinesi Earth Lamia e Jackpot Panda e almeno 30 organizzazioni sono state colpite dagli attacchi.

Gli attacchi iniziano sfruttando la vulnerabilità React2Shell. Una volta sfruttata, un comando shell codificato in base64 viene eseguito sul sistema di destinazione. Questo comando viene utilizzato per scaricare uno script s.sh dannoso tramite curl, wget o python3. Il comando viene ripetuto ogni 300 secondi fino al completamento del download. Lo script risultante viene verificato, gli vengono concessi i permessi di esecuzione e viene avviato.

Lo script crea quindi una directory nascosta in $HOME/.local/share/, dove scarica la versione 20.10.0 del runtime Node.js legittimo direttamente dal sito web ufficiale nodejs.org. Quindi scrive un payload crittografato e un dropper JavaScript offuscato, che viene eseguito tramite il binario Node scaricato. Lo script si elimina quindi da solo.

Il dropper legge il blob crittografato, lo decrittografa utilizzando una chiave AES-256-CBC codificata e scrive il risultato come un altro file JavaScript nascosto. Il payload decrittografato è EtherRAT, distribuito utilizzando Node.js precedentemente installato.

Secondo gli esperti, EtherRAT utilizza gli smart contract di Ethereum per il controllo, rendendo gli aggressori resistenti al blocco. Il malware interroga simultaneamente nove provider RPC pubblici di Ethereum e seleziona il risultato in base al voto a maggioranza, proteggendo dall’avvelenamento di un singolo nodo o di un sinkhole.

Ogni 500 millisecondi, il malware invia URL casuali, simili agli indirizzi CDN, al suo server di comando e controllo ed esegue il codice JavaScript restituito tramite AsyncFunction. Questo fornisce agli aggressori una shell Node.js interattiva a tutti gli effetti.

Secondo gli analisti, gli hacker nordcoreani hanno già utilizzato contratti intelligenti per distribuire malware. Questa tecnica, chiamata EtherHiding, è stata descritta in report di Google e GuardioLabs . Sysdig osserva inoltre che il pattern di download crittografato in EtherRAT corrisponde a quello del malware BeaverTail, utilizzato nella campagna Contagious Interview collegata alla Corea del Nord.

Il rapporto sottolinea inoltre l’estrema aggressività di EtherRAT nei sistemi Linux. Il malware utilizza cinque meccanismi per insediarsi nel sistema infetto:

• cron;
• iniezione in bashrc;
• Avvio automatico XDG;
• servizio utente systemd;
• iniezione nel profilo.

Un’altra caratteristica unica di EtherRAT è la sua capacità di auto-aggiornamento. Il malware carica il suo codice sorgente su un endpoint API e riceve codice sostituito con le stesse funzionalità ma con un offuscamento diverso. Il malware si sovrascrive quindi e avvia un nuovo processo con il payload aggiornato. Secondo i ricercatori, questo aiuta a eludere i meccanismi di rilevamento statici, può ostacolare l’analisi o aggiungere funzionalità specifiche.

Nel suo rapporto, Sysdig fornisce un breve elenco di indicatori di compromissione relativi all’infrastruttura di distribuzione EtherRAT e ai contratti Ethereum. I ricercatori raccomandano di verificare la presenza dei meccanismi di persistenza elencati, di monitorare il traffico RPC di Ethereum, di monitorare i log delle applicazioni e di ruotare regolarmente le credenziali.

L'articolo React2Shell sfruttata da Lazarus? Nasce EtherRAT, il malware che vive sulla blockchain proviene da Red Hot Cyber.

It didn’t take long: CVE-2025-55182 is now under active exploitation

On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React Server Components (RSC) functionality used in web applications built with the React library. RSC speeds up UI rendering by distributing tasks between the client and the server. The flaw is categorized as CWE-502 (Deserialization of Untrusted Data). It allows an attacker to execute commands, as well as read and write files in directories accessible to the web application, with the server process privileges.

Almost immediately after the exploit was published, our honeypots began registering attempts to leverage CVE-2025-55182. This post analyzes the attack patterns, the malware that threat actors are attempting to deliver to vulnerable devices, and shares recommendations for risk mitigation.

A brief technical analysis of the vulnerability

React applications are built on a component-based model. This means each part of the application or framework should operate independently and offer other components clear, simple methods for interaction. While this approach allows for flexible development and feature addition, it can require users to download large amounts of data, leading to inconsistent performance across devices. This is the challenge React Server Components were designed to address.

The vulnerability was found within the Server Actions component of RSC. To reach the vulnerable function, the attacker just needs to send a POST request to the server containing a serialized data payload for execution. Part of the functionality of the handler that allows for unsafe deserialization is illustrated below:

A comparison of the vulnerable (left) and patched (right) functions

CVE-2025-55182 on Kaspersky honeypots

As the vulnerability is rather simple to exploit, the attackers quickly added it to their arsenal. The initial exploitation attempts were registered by Kaspersky honeypots on December 5. By Monday, December 8, the number of attempts had increased significantly and continues to rise.

The number of CVE-2025-55182 attacks targeting Kaspersky honeypots, by day (download)

Attackers first probe their target to ensure it is not a honeypot: they run whoami, perform multiplication in bash, or compute MD5 or Base64 hashes of random strings to verify their code can execute on the targeted machine.

In most cases, they then attempt to download malicious files using command-line web clients like wget or curl. Additionally, some attackers deliver a PowerShell-based Windows payload that installs XMRig, a popular Monero crypto miner.

CVE-2025-55182 was quickly weaponized by numerous malware campaigns, ranging from classic Mirai/Gafgyt variants to crypto miners and the RondoDox botnet. Upon infecting a system, RondoDox wastes no time, its loader script immediately moving to eliminate competitors:

Beyond checking hardcoded paths, RondoDox also neutralizes AppArmor and SELinux security modules and employs more sophisticated methods to find and terminate processes with ELF files removed for disguise.

Only after completing these steps does the script download and execute the main payload by sequentially trying three different loaders: wget, curl, and wget from BusyBox. It also iterates through 18 different malware builds for various CPU architectures, enabling it to infect both IoT devices and standard x86_64 Linux servers.

In some attacks, instead of deploying malware, the adversary attempted to steal credentials for Git and cloud environments. A successful breach could lead to cloud infrastructure compromise, software supply chain attacks, and other severe consequences.

Risk mitigation measures

We strongly recommend updating the relevant packages by applying patches released by the developers of the corresponding modules and bundles.
Vulnerable versions of React Server Components:

• react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
• react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
• react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

Bundles and modules confirmed as using React Server Components:

• next
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

To prevent exploitation while patches are being deployed, consider blocking all POST requests containing the following keywords in parameters or the request body:

• #constructor
• # proto
• #prototype
• vm#runInThisContext
• vm#runInNewContext
• child_process#execSync
• child_process#execFileSync
• child_process#spawnSync
• module#_load
• module#createRequire
• fs#readFileSync
• fs#writeFileSync
• s#appendFileSync

Conclusion

Due to the ease of exploitation and the public availability of a working PoC, threat actors have rapidly adopted CVE-2025-55182. It is highly likely that attacks will continue to grow in the near term.

We recommend immediately updating React to the latest patched version, scanning vulnerable hosts for signs of malware, and changing any credentials stored on them.

Indicators of compromise

Malware URLs
hxxp://172.237.55.180/b
hxxp://172.237.55.180/c
hxxp://176.117.107.154/bot
hxxp://193.34.213.150/nuts/bolts
hxxp://193.34.213.150/nuts/x86
hxxp://23.132.164.54/bot
hxxp://31.56.27.76/n2/x86
hxxp://31.56.27.97/scripts/4thepool_miner[.]sh
hxxp://41.231.37.153/rondo[.]aqu[.]sh
hxxp://41.231.37.153/rondo[.]arc700
hxxp://41.231.37.153/rondo[.]armeb
hxxp://41.231.37.153/rondo[.]armebhf
hxxp://41.231.37.153/rondo[.]armv4l
hxxp://41.231.37.153/rondo[.]armv5l
hxxp://41.231.37.153/rondo[.]armv6l
hxxp://41.231.37.153/rondo[.]armv7l
hxxp://41.231.37.153/rondo[.]i486
hxxp://41.231.37.153/rondo[.]i586
hxxp://41.231.37.153/rondo[.]i686
hxxp://41.231.37.153/rondo[.]m68k
hxxp://41.231.37.153/rondo[.]mips
hxxp://41.231.37.153/rondo[.]mipsel
hxxp://41.231.37.153/rondo[.]powerpc
hxxp://41.231.37.153/rondo[.]powerpc-440fp
hxxp://41.231.37.153/rondo[.]sh4
hxxp://41.231.37.153/rondo[.]sparc
hxxp://41.231.37.153/rondo[.]x86_64
hxxp://51.81.104.115/nuts/bolts
hxxp://51.81.104.115/nuts/x86
hxxp://51.91.77.94:13339/termite/51.91.77.94:13337
hxxp://59.7.217.245:7070/app2
hxxp://59.7.217.245:7070/c[.]sh
hxxp://68.142.129.4:8277/download/c[.]sh
hxxp://89.144.31.18/nuts/bolts
hxxp://89.144.31.18/nuts/x86
hxxp://gfxnick.emerald.usbx[.]me/bot
hxxp://meomeoli.mooo[.]com:8820/CLoadPXP/lix.exe?pass=PXPa9682775lckbitXPRopGIXPIL
hxxps://api.hellknight[.]xyz/js
hxxps://gist.githubusercontent[.]com/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh

MD5 hashes
0450fe19cfb91660e9874c0ce7a121e0
3ba4d5e0cf0557f03ee5a97a2de56511
622f904bb82c8118da2966a957526a2b
791f123b3aaff1b92873bd4b7a969387
c6381ebf8f0349b8d47c5e623bbcef6b
e82057e481a2d07b177d9d94463a7441

securelist.com/cve-2025-55182-…

In addition to React, CVE-2025-55182 impacts other frameworks, including Next.js, Waku, React Router, and RedwoodSDK. https://www.securityweek.com/wide-range-of-malware-delivered-in-react2shell-attacks/

🚨 With folks (rightfully) abandoning GitHub for other pastures, some are turning to self-hosting. One option is Gogs, and the epic team at Wiz says you gotta patch since there's an 0-day in the wild (pls RT for reach and someone pls post on the stupid fosstodon server b/c the folks there are likely to be doing this)

https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

:uwasa_sana: Rumor has it attackers are exploiting a zero-day bug (CVE-2025-8110) in Gogs, a self-hosted Git service, allowing remote code execution. The vulnerability, discovered by Wiz researchers, affects Gogs versions 0.13.3 or earlier with open-registration enabled. While a fix is being developed, Wiz recommends disabling open-registration and limiting internet exposure.

The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html

Le patch pour la vulnérabilité CVE-2025-54100 peut avoir un impact sur vos scripts PowerShell https://www.it-connect.fr/windows-powershell-cve-2025-54100-impacts/ #Cybersécurité #Logiciel-OS #Powershell #Microsoft

A popular reverse proxy and ingress controller shipped misconfigured versions for the past five months.

The Traefik setting that enabled TLS verification was actually disabling it across the board.

https://aisle.com/blog/cve-2025-66491-traefiks-verifyon-turned-tls-off

Spectre on XiangShan for you low-level nerds. The post is six months old but the CVE was just published.

CVE-2025-63094

https://github.com/necst/aca25-xiangshan-spectre/blob/main/README.md

#OT #Advisory VDE-2024-076
BLE GATT Service Vulnerability in JBL Headphones

Due to improper BLE security configurations and lack of authentication on the GATT server of JBL LIVE PRO 2 TWS and JBL TUNE FLEX Headphones, unauthenticated users can read and write device control commands through the mobile app service.
#CVE CVE-2024-2104

https://certvde.com/en/advisories/vde-2024-076/

#oCSAF #CSAF https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json