CVE-2025-55182 React Server Components Vulnerability Exploited
Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Search
Banner Ransomfeed 320x100 1
Banner Ransomfeed 970x120 1
CVE-2025-55182 React Server Components Vulnerability Exploited

CVE-2025-55182 React Server Components Vulnerability Exploited

Redazione RHC : 13 December 2025 16:24

A recent report from the Google Threat Intelligence Group (GTIG) illustrates the chaotic results of this information dissemination, highlighting how savvy adversaries have already gained a foothold within targeted networks.

A critical vulnerability, identified as CVE-2025-55182, was reported to the security community on December 3, 2025, affecting React Server Components (RSC). This security flaw, with a maximum CVSS score of 10.0, allows attackers to execute arbitrary code on a server by sending a single, specially crafted HTTP request, without requiring authentication.

The cyber community reacted swiftly. Immediately after the public announcement, numerous threat clusters were widely exploited, as noted by the Google Threat Intelligence Group (GTIG), which noted activity from opportunistic cybercriminal groups to suspected espionage operators.

Because React and Next.js are fundamental to the modern web, the attack surface is enormous. “GTIG considers CVE-2025-55182 a critically endangered vulnerability.” The most alarming activity identified in the report comes from threat actors linked to China , who quickly integrated the exploit into their arsenals to distribute specialized malware. The GTIG identified several distinct campaigns:

  • UNC6600 Tunnelers: This group has been observed using MINOCAT, a sophisticated tunneler. They went to great lengths to hide their tracks, creating hidden directories like $HOME/.systemd-utils and ruthlessly killing legitimate processes to free up resources.
  • C2 “Legitimate” (UNC6603): This author implemented an updated version of the HISONIC backdoor. In a clever camouflage move, HISONIC “uses legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration.”
  • The Masqueraders (UNC6595): Distributing malware named ANGRYREBEL.LINUX, this group attempted to evade detection by ” disguising the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory” and using anti-forensic techniques such as timestomping.
  • Vim Impostor (UNC6588): In another wave of attacks, the authors used the exploit to download COMPOOD , a backdoor that disguised itself as the popular Vim text editor to avoid suspicion.

“GTIG has identified distinct campaigns exploiting this vulnerability to distribute a MINOCAT tunneler, a SNOWLIGHT downloader, a HISONIC backdoor, and a COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlap with previously reported activity by Huntress .”

In addition to espionage, financially motivated criminals also joined the fray starting on December 5th, using XMRig miners to hijack server resources and generate cryptocurrency.

The chaos was further compounded by a wave of misinformation. In the first hours after the disclosure , the internet was flooded with fake exploits. A major repository , “which initially claimed to be a legitimate functional exploit, has now updated its README file to correctly label the initial research claims as AI-generated and non-functional.”

  • #cybersecurity
  • CVE-2025-55182
  • cyber attacks
  • malware distribution
  • React exploit
  • React Server Components
  • server components vulnerability
  • server security
  • Threat Actors
  • vulnerability exploit
Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli