CVE-2025-55182 React Server Components Vulnerability Exploited

A recent report from the Google Threat Intelligence Group (GTIG) illustrates the chaotic results of this information dissemination, highlighting how savvy adversaries have already gained a foothold within targeted networks.

A critical vulnerability, identified as CVE-2025-55182, was reported to the security community on December 3, 2025, affecting React Server Components (RSC). This security flaw, with a maximum CVSS score of 10.0, allows attackers to execute arbitrary code on a server by sending a single, specially crafted HTTP request, without requiring authentication.

The cyber community reacted swiftly. Immediately after the public announcement, numerous threat clusters were widely exploited, as noted by the Google Threat Intelligence Group (GTIG), which noted activity from opportunistic cybercriminal groups to suspected espionage operators.

Because React and Next.js are fundamental to the modern web, the attack surface is enormous. “GTIG considers CVE-2025-55182 a critically endangered vulnerability.” The most alarming activity identified in the report comes from threat actors linked to China , who quickly integrated the exploit into their arsenals to distribute specialized malware. The GTIG identified several distinct campaigns:

• UNC6600 Tunnelers: This group has been observed using MINOCAT, a sophisticated tunneler. They went to great lengths to hide their tracks, creating hidden directories like $HOME/.systemd-utils and ruthlessly killing legitimate processes to free up resources.
• C2 “Legitimate” (UNC6603): This author implemented an updated version of the HISONIC backdoor. In a clever camouflage move, HISONIC “uses legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration.”
• The Masqueraders (UNC6595): Distributing malware named ANGRYREBEL.LINUX, this group attempted to evade detection by ” disguising the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory” and using anti-forensic techniques such as timestomping.
• Vim Impostor (UNC6588): In another wave of attacks, the authors used the exploit to download COMPOOD , a backdoor that disguised itself as the popular Vim text editor to avoid suspicion.

“GTIG has identified distinct campaigns exploiting this vulnerability to distribute a MINOCAT tunneler, a SNOWLIGHT downloader, a HISONIC backdoor, and a COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlap with previously reported activity by Huntress .”

In addition to espionage, financially motivated criminals also joined the fray starting on December 5th, using XMRig miners to hijack server resources and generate cryptocurrency.

The chaos was further compounded by a wave of misinformation. In the first hours after the disclosure , the internet was flooded with fake exploits. A major repository , “which initially claimed to be a legitimate functional exploit, has now updated its README file to correctly label the initial research claims as AI-generated and non-functional.”

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.