System.Management.Automation.AmsiUtils.amsiInitFailed = true (a standard AMSI bypass), and iex executes the next stage.JFrog’s security research team also today reported finding a working proof of concept that leads to code execution, and they and others have also reported finding fake PoCs containing malicious code on GitHub. “Security teams must verify sources before testing [these PoCs],” warns JFrog.Amitai Cohen, attack vector intel lead at Wiz, also said today that the firm has seen both proof of concept exploits being published and active exploitation attempts in the wild. “Our threat teams have detected these attempts across customer environments, including deployments of cryptojacking malware and efforts to steal cloud credentials from compromised machines,” he said in an email.The Greynoise report follows one by New Zealand researcher Lachlan Davidson, who discovered the holes and found that a real proof of concept began circulating about 30 hours after those maintaining React revealed the holes.Separately, Amazon said its threat intelligence teams have seen active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.AWS has deployed multiple layers of automated protection, including the AWS WAF (web application firewall). But the company stresses these protections aren’t substitutes for patching, even for IT departments running React or Next.js in an Amazon environment.Related content: Cloudflare firewall reacts badly to React exploit mitigationIf exploited, the vulnerability, tracked as CVE-2025-55182 in React RCS and CVE-2025-66478 specifically for the Next.js framework, allows a threat actor to remotely run malicious code.Maintained by Meta, React is an open source library for building application interfaces. There are several frameworks that build on top of it, with Next.js being highly popular among developers, so exploiting the vulnerability in RCS can spread to these frameworks.The critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10. Affected are React versions 19.x and Next.js versions 15.x and 16.x when using App Router.The problem specifically is in RCS’s Flight protocol, used for communications with clients such as browsers. RCS, notes Greynoise, is a high value target since it sits in front of application logic that often runs with production permissions.”Thanks to services such as BuiltWith/Wappalyzer, the exposed services are easy to find and exploit at scale,” Greynoise warned.However, there are some nuances in these early reports of proofs of concept.Davidson noted that the day-0 protections from some application security providers are actually runtime-level, and not just web application firewall rules. That means many customers with theoretically vulnerable versions are still protected, he wrote.Amazon added that analysis of data from its honeypot shows the persistent nature of some exploitation attempts. In one notable example, an unattributed threat cluster associated with IP address 183[.]6.80.214 spent nearly an hour on Thursday systematically troubleshooting exploitation attempts.This included 116 total requests directed at a target over 52 minutes, attempts at placing multiple exploit payloads, attempts at executing Linux commands, attempts to write files to /tmp/pwned.txt, and attempts to read /etcpasswd.”This behavior demonstrates that threat actors aren’t just running automated scans,” Amazon said, “but are actively debugging and refining their exploitation techniques against live targets.Edgar Kussberg, project lead for AI and development tools at Sonar, said to blunt attacks, developers or infosec teams should:
run an analysis: Deploy tests to find vulnerable code and misconfigurations before an attacker can;get a clean signal: Focus on finding and fixing true positives and the most severe vulnerabilities;verify code against updated rules: Ensure all defensive software is updated with the latest rules designed to detect and flag the specific React2Shell pattern, not just generic parameters.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4101890/warning-react2shell-vulnerability-already-being-exploited-by-threat-actors.html
