🚨 CRITICALintelDec 11, 2025

CVE-2025-55182: React2Shell Crisis Hits 50+ Victims, CISA Deadline Looms

React Server Components have a critical RCE (CVSS 9.9) actively exploited by Earth Lamia, Jackpot Panda, and Red Menshen. Over 50 organizations compromised across financial services, government, and tech sectors. Attackers deploy PeerBlight backdoors, CowTunnel proxy tunnels, ZinFoq post-exploitation frameworks, XMRig miners, Sliver C2, and Kaiji botnet components. Shadowserver identified 165,000+ vulnerable IPs and 644,000 domains—99,200 in the U.S. alone. CISA shortened federal agency deadline to December 31. Palo Alto confirms overlap with Contagious Interview campaign (North Korea) and detects BPFDoor usage. More than 15 distinct threat clusters exploiting, from opportunistic cryptominers to nation-state actors. VulnCheck observes nearly 100 public PoCs. Half of exposed instances remain unpatched despite active exploitation since December 4.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Organizations running Next.js or React Server Components face nation-state and ransomware-scale compromise. With 50+ confirmed victims and 165K+ vulnerable instances, this rivals Log4Shell impact trajectory. Multiple threat groups (North Korea's Contagious Interview, China's Earth Lamia/Jackpot Panda/Red Menshen) all actively exploiting. CISA's accelerated deadline signals federal agencies already compromised. Technical Context: React2Shell exploits unsafe deserialization in RSC (CVSS 9.9, formerly rated 10.0) to achieve unauthenticated remote code execution mapped to T1190 and T1059. Attack chains deploy diverse payloads: PeerBlight backdoor with DHT C2, CowTunnel reverse proxy for firewall bypass, ZinFoq post-exploitation framework, XMRig miners, Sliver C2, Kaiji DDoS, BPFDoor rootkit, and EtherHiding blockchain-based malware. Automated scanning identifies vulnerable Next.js instances within hours of disclosure.

⚡Strategic Intelligence Guidance

Immediately patch all React Server Components deployments (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) or disconnect from internet per CISA mandate by December 31.
Hunt for compromise indicators: LOLlolLOL DHT node prefix (PeerBlight), GoogeBot user agent (ZinFoq), processes masquerading as ksoftirqd, unexpected FRP tunnels, XMRig processes.
Deploy WAF rules blocking React2Shell exploit patterns, enable verbose RSC endpoint logging, review logs since December 4 for exploitation attempts.
Segment web application tiers from critical systems, implement egress controls, monitor for outbound connections to known C2 infrastructure (185.247.224.41:8443, FRP servers).
Assume breach if running vulnerable versions with internet exposure—conduct forensic investigation for data exfiltration, credential theft, and lateral movement indicators.

CVEs

CVE-2025-55182

Vendors

MetaNext.jsVercelAWSPalo Alto NetworksShadowserverReact

Threats

React2ShellEarth LamiaJackpot PandaRed MenshenContagious InterviewPeerBlightCowTunnelZinFoqXMRigSliverKaijiBPFDoorEtherHidingMiraiRotaJakiroPink

Targets

Financial servicesGovernment agenciesHigher educationTechnology sectorMedia and entertainmentLegal servicesTelecommunicationsRetailBusiness servicesManagement consulting

Impact

Data Volume:165,000+ vulnerable IPs, 644,000 vulnerable domains

Financial:50+ organizations compromised

Tags

#cve-2025-55182 #react2shell #nextjs #remote-code-execution #nation-state-apt #china-apt #north-korea-apt #linux-malware #cryptomining #supply-chain #cisa-alert

Intelligence Source: CVE-2025-55182: React2Shell Crisis Hits 50+ Victims, CISA Deadline Looms | Dec 11, 2025