TWO IP addresses are now responsible for the majority of attacks on CVE-2025-55182, with GreyNoise reporting that between January 26 and February 2, 2026, two IPs account for 56% of all observed exploitation attempts. The 193.142.147[.]209 address provides 34% of the traffic and is described as profit-driven, deploying payloads that retrieve cryptomining binaries from staging servers to monetise compromised CPU cycles.
The 87.121.84[.]24 address accounts for 22% of activity and is described as more ominous, opening reverse shells directly to the scanner IP to grant interactive control over the victim machine. The vulnerability in React Server Components carries a CVSS score of 10.0 and allows remote code execution without authentication.
The report notes a divergence in tactics and highlights that attackers are targeting exposed development infrastructure, including default React development servers on ports such as 3000, 3001 and 3002, with misconfigurations like host 0.0.0[.]0 increasing exposure. according to GreyNoise, organisations running unpatched React Server Components should assume they have been targeted, and admins are urged to upgrade to React versions 19.0.1, 19.1.2, or 19.2.1 to close the gap.