CVE-2025-55182, also referred to as "React2Shell," is being actively weaponized by a recently discovered exploit toolkit called ILOVEPOOP to search for and target vulnerable Next.js and React Server Components (RSC) environments. The results are from the WXA Internet Abuse Signal Collective (WXA IASC), which mapped the campaign's infrastructure by correlating NetFlow telemetry, honeypot data, and enrichment datasets. On December 4, 2025, React2Shell was made available to the public.

WXA's Niihama honeypot sensors detected active exploitation attempts within about 20 hours. Attackers used HTTP POST requests with a Next-Action: x header, an indicator connected to React Server Actions, according to early traffic.

Targeting paths like /_next/flight /_next/server-actions /_react/flight /_next/webpack-hmr /login and /api/login, payloads were sent as multipart/form-data with consistent content lengths. Rapid worldwide weaponization was demonstrated by the more than 1,500 exploit attempts that were recorded from more than 70 distinct IP addresses in several countries during the first month following disclosure. Operator Toolkit and Centralized Infrastructure Extreme infrastructure centralization is highlighted by WXA telemetry around two Netherlands-hosted IP addresses: 209 87.121.84[.

]24 193.142.147[.] These systems interacted with millions of unique source and destination IP addresses during a three-month observation period, producing over 22 million NetFlow records. These same IPs were responsible for more than half of the observed React2Shell exploitation traffic during the monitored period, according to independent GreyNoise reporting.

The ILOVEPOOP toolkit, a unified exploit framework, was directly linked to one of these hosts, 87.121.84[.]24. Nine scanner nodes hosted by providers in Poland, Germany, Bulgaria, and the Netherlands are used by this toolkit. The toolkit produced 672 exploit attempts over a 30-day period, all of which had the same traits: Next-Action: x header poop1234 is the static X-Nextjs-Request-Id.

X-Nextjs-Html per-requestRequest-Id: identifiers for ilovepoop_* Payload sizes range from 507 to 522 bytes. /, /_next, /api, /_next/server, /app, /api/route is a six-path route sweep. A pool of eleven that rotates User-Agent strings Instead of separate opportunistic scanners, this homogeneous structure strongly suggests a single operator or strictly regulated toolkit. Exploiting Multiple Protocols and Recognizing ICS In addition to HTTP-based exploitation, the campaign displayed unusual multi-protocol behavior.

One scanner was caught by honeypot telemetry trying to send a React2Shell payload through a POP3 daemon. This implies either: An exploit engine that is independent of protocols and can reuse the same RSC primitive across services Alternatively, a broad "spray-and-pray" delivery that aims to avoid port-based inspection separately, 87.121.84[. ]In order to conduct reconnaissance beyond web targets, 24 conducted brief bursts of DNP3 traffic, an industrial control system (ICS) protocol.

After enrichment, roughly 65,000 high-confidence records were linked to identifiable organizations within NetFlow interactions sourced from the United States. The following were the biggest exposure categories: Software platforms and SaaS eCommerce and Retail Governmental organizations Research and education Medical Care Crucially, 669 IPs that were seen interacting with the Netherlands exploit servers subsequently carried out hostile actions against Niihama honeypots, according to WhoisXMLAPI.

Among them were 23,415 SMB attempts, 17,405 RDP attempts, and 7,772 SSH attempts. Over 25,000 attempts at credential abuse Strong early-warning value was demonstrated by NetFlow telemetry, which in 91 cases identified interaction with exploit infrastructure a median of 45 days prior to direct honeypot attacks.