A vulnerability in the React server was exploited This article explores vulnerability react server. . Exploitation activity against React Server Components has changed from widespread scanning to concentrated, high-volume attack campaigns two months after CVE-2025-55182 was made public.

Threat actors are actively using this critical vulnerability to deploy cryptocurrency and create persistent remote access, according to telemetry from GreyNoise gathered between January 26 and February 2, 2026. Learn more about Windows security software Cybersecurity messaging apps Taking advantage of Reports on security vulnerabilities Security of computers Software for data security Services for penetration testing Tools for remote access VPN services Traffic has significantly consolidated even though there were 1,083 distinct sources trying to exploit. 56% of all malicious sessions observed were generated by two distinct IP addresses, suggesting automated, extensive infrastructure as opposed to manual testing.

Dominant actors and the threat landscape The public Metasploit module for CVE-2025-55182, which enables pre-authentication remote code execution (RCE) with a single malicious HTTP POST request, is used in the observed attacks. The primary threat actors have divided their goals into two categories: The Campaign for Cryptomining (87.121.84[])24): This actor downloads an XMRig binary from staging servers using a retrieval script, accounting for 22% of traffic (311,484 sessions). Payloads for this campaign are hosted on external infrastructure.

The Campaign for Interactive Access (193.142.147[])209): This actor completely avoids staging servers, accounting for 34% of traffic (488,342 sessions). Rather than automated resource theft, the payload appears to be intended for interactive network pivots, as it opens a reverse shell directly back to the scanner IP on port 12323.

The cryptomining infrastructure has a history of malicious activity, according to a thorough analysis. Since 2020, attacker-controlled domains like mased[. ]top and mercarios[.

]buzz have been hosted on the main staging server, 205.185.127[.]97. Additionally, nearby IP addresses in the same subnet (87.121.84[. ]25 and 87.121.84[. ]45) are presently disseminating Gafgyt and Mirai variants, indicating that this subnet is a haven for botnet operators that target both consumer IoT devices and business servers.

Vulnerability Details CVE-2025-55182 has a CVSS score of 10.0 and is a deserialization vulnerability in React Server Components. By altering serialized data that the server processes, it enables unauthenticated attackers to run arbitrary code.

Software Vulnerability Type CVE-2025-55182 10.0 (Critical) React Server Components Affected by CVE ID CVSS Score Versions Affected by Insecure Deserialization: React 19.0.0 React 19.1.0 through 19.1.1 React 19.2.0 Patched Versions: React 19.0.1, 19.1.2, 19.2.1 Attackers are focusing on development ports in particular, probably searching for cases where developers have accidentally exposed the server to the public internet by using the --host 0.0.0.0 flag. The ports 443, 80, 3000, 3001, and 3002 are the most frequently targeted. It is recommended that security teams update to the most recent versions of React right away.

If patching is not possible, block the following indicators and limit network access to development ports.

Compromise Indicators (IOCs) IP Address Type Association 193.142.147 Network Indicators (IPv4)209 Attacker Source Interactive Access/Reverse Shell 87.121.84 [. ]24 Attacker Source XMRig Cryptominer Dropper 205.185.127 [. ]176.65.132 [.]

Staging Server Payload Hosting 97Network Artifacts for 224 Staging Server Payload Hosting TCP/12323 is the reverse shell port. HTTP POST requests with odd Next-Action headers are the traffic pattern. SHA-256 file hash For daily cybersecurity updates, XMRig Binary (ELF) was obtained from 205.185.127[. ]97., LinkedIn, and X (Hash pending further analysis).