Outbreak Alert
Watch Video
Critical Unauthenticated RCE in React Server Components Actively Exploited in the Wild
React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction. Learn More »
Common Vulnerabilities and Exposures
Background
Due to the widespread use of React and Next.js in production environments, organizations are strongly urged to apply patches immediately, enforce WAF protections on RSC/Flight endpoints, and conduct proactive threat hunting. CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following confirmed evidence of active exploitation. AWS Security has also reported exploitation activity originating from infrastructure historically linked to China state-nexus threat actors.
Successful exploitation can lead to:
- Full server compromise, including deployment of persistent backdoors
- Credential harvesting and access to sensitive application data
- Execution of arbitrary Node.js commands on the affected server
- Lateral movement across connected systems and cloud environments
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Organizations should review the vendor advisories for complete version details, mitigation steps, and updated guidance. FortiGuard customers are protected by multiple layers of defense against these exploits. Refer to the Solutions tab for for information.
-
December 12, 2025: Multiple Threat Actors Exploit React2Shell: Google Threat Intelligence Group
https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/ -
December 05, 2025: CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation.
-
December 05, 2025: FortiGuard Labs released a Threat Signal for React2Shell Remote Code Execution (RCE) Vulnerability.
https://www.fortiguard.com/threat-signal-report/6281/react2shell-remote-code-execution-rce-vulnerability -
December 04, 2025: Lacework FortiCNAPP Protection update and response added for React & NextJS Remote Code Execution Vulnerability.
https://community.fortinet.com/t5/Lacework/Technical-Tip-How-does-Lacework-FortiCNAPP-Protect-from-CVE-2025/ta-p/421658 -
December 04, 2025: AWS Security has observed exploitation activity originating from infrastructure historically linked to China-nexus threat actors, noting rapid mass exploitation of vulnerable internet-facing RSC/Next.js deployments.
-
December 03, 2025: Security Advisory released by Next.js and fix was published to npm and the publicly disclosed as CVE-2025-55182.
https://nextjs.org/blog/CVE-2025-66478 -
November 30, 2025: Meta security researchers confirmed and began working with the React team on a fix.
-
November 29, 2025: Lachlan Davidson reported the security vulnerability via Meta Bug Bounty.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
Web App Security
-
Web & DNS Filter
-
IOC
-
Outbreak Detection
-
Cloud Threat Detection
-
Automated Response
-
Assisted Response Services
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Hardening
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
References
Sources of information in support and relation to this Outbreak and vendor.