Introduction and Vulnerability Overview
Earlier this month, Imperva published an initial advisory outlining how our customers were protected against the newly disclosed React2Shell vulnerability impacting React Server Components (RSC). That post focused on the essentials: a critical flaw arising from unsafe server-side deserialization of client-controlled RSC payloads, its potential to enable unauthenticated remote code execution, and what we do to protect against it.
In this follow-up, we expand on that foundation by examining what makes this vulnerability so dangerous. We explore the real-world footprint of this vulnerability, look at how it has appeared in the wild across different countries and sites, examine recorded exploit attempts that use this vulnerability as an entry point in opportunistic malware campaigns, and assess how the flood of AI-generated PoCs is complicating real-world defenses.
General Statistics
Before diving into the technical details, let’s begin with a macro-view of its real-world impact across the globe.
Over the past week, Imperva sensors recorded over 127 million requests related to React2Shell (CVE‑2025‑55182) probing and exploitation attempts, highlighting the scale and automation targeting this vulnerability. These attempts spanned across more than 87 thousand distinct sites, showing that opportunistic scanning far outweighs targeted, single-tenant attacks.
Activity was observed across 128 countries, with the United States and Singapore emerging as the most heavily targeted regions, underscoring the global reach of this CVE.
The industry reach is widespread, although Education and Financial Services sites collectively account for almost half of all attacks.
The PoC Slop
Shortly after the public disclosure of React2Shell (CVE-2025-55182), a flood of what claimed to be “proof-of-concept” exploits began circulating. As the original disclosure site warns, many of these PoCs were invalidly crafted under incorrect assumptions, such as requiring explicit exposure of dangerous server-side functionality such as child_process.exec, vm.runInThisContext, or fs.writeFile rather than exploiting the actual flaw in the RSC Flight deserialization logic.
This surge of AI-generated PoC samples has a harmful side effect: it has muddied the waters for defenders. Instead of concentrating on the real vulnerability, security teams must sift through a sea of false or irrelevant exploit attempts. Attackers and bots are now producing a vast number of convincing-looking payloads, making it much harder for defenders to tell legitimate exploits from background noise.
An example of AI POC:
Malicious campaigns
In the immediate aftermath of the React2Shell disclosure, Imperva Threat research observed a large volume of malicious campaigns leveraging the vulnerability as an entry point. The following is a summary of just a few of the campaigns we observed along with the relevant IoCs:
- Linux Remote Access Trojan Campaign
- XNote RAT
- Snowlight dropper
- ReactOnMyNuts: Botnet and Cryptominer spreader campaign
- Runnv Cryptojacking campaign
1. Linux Remote Access Trojan Campaign
Description:
A widespread campaign, where attackers leveraged the React Server Components vulnerability to download a malicious RAT executable. Once installed, the malware contacts a C2 server and retrieves JSON-based task instructions, such as running system commands, opening a reverse shell, and uploading or downloading files.
Top Targeted Countries: United States, Indonesia Thailand, Brazil, United Kingdom
Top Targeted Industries: Telecom and ISPs, Business, Financial Services, Gambling
Malicious command:
IoCs:
2. XNote RAT
Description:
A highly targeted campaign, affecting only financial services sites in Hong Kong, utilizing the React2Shell vulnerability to deploy the Xnote Remote Access Trojan Linux malware. The Xnote malware was exposed by Russian anti-virus company Doctor Web, who believe that there is “good reason to believe that some members of the Chinese hacker group called ChinaZ took part in the development of this Trojan.”
Targeted Country: Hong Kong
Targeted Industry: Financial Services
Malicious command:
IoCs:
3. Snowlight dropper
A campaign focused on deploying the SnowLight dropper through the React2Shell vulnerability. SnowLight serves as both an initial access vector and a persistence mechanism, executing malicious scripts that retrieve and install additional, more advanced payloads, most notably the VShell Remote Access Trojan (RAT).
SnowLight is associated with Chinese state-sponsored threat actors tracked as UNC5174, a group known for targeting research and education institutions, businesses, charities, NGOs, and government organizations across Southeast Asia, the United States, and the United Kingdom.
Targeted Countries: Indonesia, Australia, United States, Kuwait
Targeted Industry: Financial Services, Telecom and ISPs, Retail
Malicious command:
IoCs:
4. ReactOnMyNuts: Botnet and Cryptominer spreader campaign
Description:
A campaign utilizing the React2Shell vulnerability to spread both Mirai and XMRig cryptojacking malware samples using shared server architecture. The attackers used the vulnerability to execute a one-liner command aimed at downloading and installing both Mirai botnet and XMRig cryptojacking malware.
Cryptojacker configuration showing wallet addresses
Top Targeted Countries: United States, Australia, United Kingdom, Argentina, Columbia
Top Targeted Industries: Healthcare, Business, Financial Services, Computing & IT
Malicious commands:
IoCs:
5. Runnv Cryptojacking campaign
Description:
A cryptojacking campaign, with indicators of Chinese origin. The attackers utilized the React2Shell vulnerability to execute a dropper bash script, which downloads several second stage files including bash scripts and gzip compressed data. These components form the code and configuration of the cryptojacking operation. From an investigation of the wallet addresses used in the campaign we can see that (at the time of investigation) the threat actors were making around 170 USD per day, or around 62,050 USD per year.
Screenshot downloader script showing Chinese characters
Crypto wallet address:
Campaign Monero Wallet Statistics
Top Targeted Countries: United States, Brazil, United Kingdom, Colombia, Canada
Top Targeted Industries: Business, Financial Services, Lifestyle, Healthcare
Malicious commands:
IoCs:
Conclusion
The React2Shell vulnerability has quickly evolved from disclosure to widespread exploitation, with over 127 million attack attempts targeting more than 87,000 sites across 128 countries observed on the Imperva network alone within the first week. The campaigns documented here, from state-sponsored RATs to cryptojacking operations demonstrate how rapidly threat actors weaponize critical vulnerabilities. Imperva Cloud WAF and On-Premises WAF customers remain fully protected against these exploitation attempts.
The post Chain Reaction: Attack Campaign Activity in the Aftermath of React Server Components Vulnerability appeared first on Blog.