Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Home
AGI: Google and Anthropic CEOs sound the alarm at Davos – the world won’t be ready!-A working browser built with AI using 3 million lines of code: breakthrough or illusion?-Kimwolf: The IoT botnet that moves silently across corporate and government networks-NoName057(16) hits Italy 487 times in the last 3 months: the DDoS wave does not stop-Undersea Cables: Ignored Warnings and Uncertain Trials. The Truth About Underwater Accidents-AGI: Google and Anthropic CEOs sound the alarm at Davos – the world won’t be ready!-A working browser built with AI using 3 million lines of code: breakthrough or illusion?-Kimwolf: The IoT botnet that moves silently across corporate and government networks-NoName057(16) hits Italy 487 times in the last 3 months: the DDoS wave does not stop-Undersea Cables: Ignored Warnings and Uncertain Trials. The Truth About Underwater Accidents
320x100 Itcentric
970x20 Itcentric
CVE-2025-55182 React Server Components Vulnerability Exploited

CVE-2025-55182 React Server Components Vulnerability Exploited

13 December 2025 16:24

A recent report from the Google Threat Intelligence Group (GTIG) illustrates the chaotic results of this information dissemination, highlighting how savvy adversaries have already gained a foothold within targeted networks.

A critical vulnerability, identified as CVE-2025-55182, was reported to the security community on December 3, 2025, affecting React Server Components (RSC). This security flaw, with a maximum CVSS score of 10.0, allows attackers to execute arbitrary code on a server by sending a single, specially crafted HTTP request, without requiring authentication.

The cyber community reacted swiftly. Immediately after the public announcement, numerous threat clusters were widely exploited, as noted by the Google Threat Intelligence Group (GTIG), which noted activity from opportunistic cybercriminal groups to suspected espionage operators.

Because React and Next.js are fundamental to the modern web, the attack surface is enormous. “GTIG considers CVE-2025-55182 a critically endangered vulnerability.” The most alarming activity identified in the report comes from threat actors linked to China , who quickly integrated the exploit into their arsenals to distribute specialized malware. The GTIG identified several distinct campaigns:

  • UNC6600 Tunnelers: This group has been observed using MINOCAT, a sophisticated tunneler. They went to great lengths to hide their tracks, creating hidden directories like $HOME/.systemd-utils and ruthlessly killing legitimate processes to free up resources.
  • C2 “Legitimate” (UNC6603): This author implemented an updated version of the HISONIC backdoor. In a clever camouflage move, HISONIC “uses legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration.”
  • The Masqueraders (UNC6595): Distributing malware named ANGRYREBEL.LINUX, this group attempted to evade detection by ” disguising the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory” and using anti-forensic techniques such as timestomping.
  • Vim Impostor (UNC6588): In another wave of attacks, the authors used the exploit to download COMPOOD , a backdoor that disguised itself as the popular Vim text editor to avoid suspicion.

“GTIG has identified distinct campaigns exploiting this vulnerability to distribute a MINOCAT tunneler, a SNOWLIGHT downloader, a HISONIC backdoor, and a COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlap with previously reported activity by Huntress .”

In addition to espionage, financially motivated criminals also joined the fray starting on December 5th, using XMRig miners to hijack server resources and generate cryptocurrency.

The chaos was further compounded by a wave of misinformation. In the first hours after the disclosure , the internet was flooded with fake exploits. A major repository , “which initially claimed to be a legitimate functional exploit, has now updated its README file to correctly label the initial research claims as AI-generated and non-functional.”

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.