SECURITYWEEK reports that the React2Shell flaw, tracked as CVE-2025-55182, continues to drive exploitation with over 1.4 million attempts observed in the past week, according to GreyNoise. The vulnerability allows remote code execution via a single HTTP POST and has seen a surge in activity after a Metasploit module was published.
GreyNoise notes that more than 1,000 IP addresses were involved, but two accounted for the majority: 193.142.147[.]209 and 87.121.84[.]24, which together generated 488,342 attack sessions and 311,484 sessions respectively, leading to the deployment of a reverse shell.
The observed assaults also resulted in the deployment of an XMRig cryptocurrency miner from one of two staging servers, with GreyNoise adding that one staging server has been active since at least 2020 and that adjacent IPs are hosting Mirai and Gafgyt payloads. Exploitation began roughly two days after public disclosure in early December, and claims have been made that both state-sponsored actors and cybercrime groups have targeted the vulnerability.