On 16 December 2025, after several days its public disclosure, the critical React2Shell vulnerability (CVE-2025-55182) continues to be widely exploited worldwide, with both the breadth of compromised systems and the number of threat actors involved rising sharply. Researchers have tracked at least 30 confirmed organizational breaches attributed to this flaw and estimate that tens of thousands of internet-exposed servers remain vulnerable; tracking projects report well over 77,000 affected IPs globally. A significant concentration of these unpatched systems is located in the United States and other Western countries, where scanning and exploitation traffic has surged.
Exploitation remains driven by unauthenticated remote code execution, where attackers send crafted HTTP requests to vulnerable React Server Components endpoints to execute arbitrary commands without any login or credentials. Early in the campaign, numerous malicious actors rapidly integrated publicly available proofs-of-concept into automated scanners and exploitation frameworks, enabling broad opportunistic abuse in addition to targeted operations.
Threat actor diversity has expanded substantially. Initial activity was dominated by China-linked advanced persistent threat groups such as Earth Lamia and Jackpot Panda, which began scanning and exploiting the vulnerability within hours of its disclosure. Since then, at least five additional Chinese state-aligned groups have been observed leveraging the flaw to deliver various malware payloads, including tunneling software, downloaders and backdoors. These groups include espionage-oriented clusters such as UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, each using distinct malware families like Minocat, Snowlight, Compood, Hisonic and Angryrebel.
Alongside these Chinese groups, other nation-state actors have been observed exploiting the vulnerability. North Korean threat actors have weaponized React2Shell to deploy a sophisticated remote access trojan known as EtherRAT, notable for its use of Ethereum smart contracts for command-and-control, multiple Linux persistence mechanisms, and self-contained Node.js runtime components. This indicates advanced post-exploitation tooling beyond automated scanning. Iran-linked groups and financially motivated cybercriminals have also been connected to exploitation activity, deploying XMRig cryptocurrency mining software on unpatched systems, broadening the scope beyond East Asia-centric campaigns.
With a maximum severity score of 10, React2Shell now resembles a widening sinkhole rather than a severe vulnerability: there are over 116,000 vulnerable IP addresses, with over 80,000 in the United States currently being tracked. Every unpatched server deepens the collapse, drawing in more attackers, more tooling, and more victims by the day. The attack surface continues to expand faster than remediation efforts, and there is no indication that exploitation is slowing. Instead, the vulnerability is solidifying its status as a persistent and accelerating threat to internet-facing infrastructure worldwide.