The period of time federal companies need to patch the latest React2Shell vulnerability has decreased considerably.
The Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-55182 — a vulnerability impacting a well-liked open-source software constructed into hundreds of extensively used digital merchandise — to its Identified Exploited Vulnerabilities catalog late final week, giving federal companies till December 26 to patch the bug.
The date is now Friday. A spokesperson for CISA confirmed the date change and famous that CISA needed federal companies to “verify for indicators of potential compromise on all web accessible REACT situations after making use of mitigations.”
CISA’s patch deadlines are sometimes an indicator of a bug’s severity for the business on the whole. React2Shell impacts React Server Parts, a software initially created for Fb and now embedded in 50 million web sites and merchandise constructed by numerous main corporations.
Since December 3, cybersecurity defenders have scrambled to patch CVE-2025-55182 because of the broad use of React Server Parts.
Over the past week, defenders have seen government-backed hackers from China and North Korea exploiting the bug alongside an array of cybercriminal teams.
Palo Alto Networks’ Unit 42 printed a brand new advisory on Wednesday night displaying greater than 50 organizations have been impacted by breaches sourced again to CVE-2025-55182.
The impacted organizations are within the U.S. in addition to Asia, South America and the Center East. Hackers are focusing on monetary companies establishments, greater training, the tech business, all ranges of presidency and media organizations.
Unit 42 added that along with beforehand recognized Chinese language malware strains like Snowlight and Vshell, they’re now seeing different malware used together with NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell.
Justin Moore, a senior official at Unit 42, informed Recorded Future Information that researchers have confirmed instances the place attackers used CVE-2025-55182 to breach networks.
“We’ve noticed opportunistic focusing on and automatic scripts for the set up of cryptominers and botnets, focusing on AWS configuration keys, and extra focused set up of quite a few sturdy backdoors beforehand related to nation state affiliated actors,” Moore mentioned.
Unit 42 additionally confirmed earlier reporting by cybersecurity agency Sysdig that North Korean hackers are exploiting the bug to ship malware and facilitate cryptocurrency theft.
Unit 42 added that it noticed some hackers exploiting the bug utilizing BPFDoor, a Linux backdoor attributed to a China-linked risk group often known as Crimson Menshen.
The group was beforehand accused of focusing on the telecommunications, finance and retail sectors, with assaults noticed in South Korea, Hong Kong, Myanmar, Malaysia and Egypt. Unit 42 tracked a number of different backdoors and strains of malware utilized in assaults.
Different incident responders mentioned they’re now seeing low-skill, opportunistic abuse of the vulnerability throughout quite a lot of sectors.
Christiaan Beek, senior director of risk intelligence at Rapid7, mentioned the corporate is witnessing cryptocurrency miners and Mirai botnet deployments exploiting the bug. He added that there are indicators linking the vulnerability’s exploitation to tooling beforehand utilized by ransomware teams.
Researchers at CyCognito shared information that confirmed media organizations had an inordinate quantity of externally uncovered property working susceptible React Server Parts affected by CVE-2025-55182.
The corporate mentioned information shops, broadcast tv stations, cable and satellite tv for pc corporations and extra had been uncovered, possible as a result of most media organizations use React of their frontend stacks.
“They rely closely on server-rendered frameworks akin to Subsequent.js to run public entry factors like homepages, article and video pages, part fronts, search outcomes and marketing campaign microsites,” the corporate informed Recorded Future Information.
“In lots of of those functions, React Server Parts are used for server facet information fetching, format composition and streaming partial web page updates. That places the susceptible react-server-dom-* packages instantly within the request path on uncovered net property.”
The corporate additionally discovered the manufacturing, know-how and hospitality industries as having important publicity to CVE-2025-55182.
