Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 5 December 2025 16:07
In 2025, the IT and security communities are buzzing with excitement over a single name: ” React2Shell .” With the disclosure of a new vulnerability, CVE-2025-55182, classified as CVSS 10.0, developers and security experts around the world are warning of its severity, even using the term “2025 Log4Shell.”
This threat affects approximately 8,777,000 servers worldwide, including approximately 87,000 in Italy. This suggests that, with a severity score of 10, this could be one of the most significant threats of the year, and it’s becoming “active.”
Indeed, it has been confirmed that the Chinese hacker community has already launched large-scale attack tests using the exploit for the vulnerability in question on exposed servers. CVE-2025-55182 isn’t simply a software bug. It’s a structural flaw in the RSC serialization protocol , allowing exploitation with only the default configuration, without any errors on the part of the developers. Authentication isn’t even required.
That’s why security experts around the world are calling it “Log4Shell Release 2025.” The React2Shell Checker vulnerability scanning tool is scanning multiple paths, and some endpoints are marked as Safe or Vulnerable. The image above shows that several researchers are already running automated scans on RSC-based servers.
The problem is that these tools become weapons that attackers can exploit. Chinese hackers are successfully conducting RCE tests. According to data collected by the Chinese hacker community, attackers have already injected React2Shell PoC into Next.js-based services, collected the results with the DNSLog service, and verified the attack vector.
A manipulated payload with Burp Repeater is sent, and the server creates an external DNS record. This indicates that the attack is being verified in real time. The attackers have already completed the following steps:
This is no longer a “theoretical vulnerability” , but rather proof that a valid attack vector has already been developed.
Chinese hackers are currently successfully executing RCEs. The PoC was published on GitHub, and researchers ran it, confirming that the Windows Calculator (Calc.exe) was being remotely executed.
Sending the payload via BurpSuite Repeater caused Calc.exe to immediately execute on the server. This means full remote code execution is possible.
Remote calculator execution is a common demonstration method in the security research community of a successful “RCE,” which is when an attacker has taken control of a server.
The 87,000 servers reported in the FOFA print screen demonstrate that a significant number of web services from Italian companies operating with React/Next.js-based RSC functions enabled are at risk. The problem is that most of them
In particular, since FOFA search results are a common source of information also used by hacker groups to select attack targets, it is highly likely that these servers are actively scanned.
Experts call this vulnerability “unprecedented” for the following reasons:
This combination is very similar to the 2021 Log4Shell incident.
However, unlike Log4Shell, which was limited to Java Log4j, React2Shell is more serious as it targets frameworks used by the entire global web services ecosystem.
The attackers are already performing the following attack routine.
This phase is not a pre-scan, but rather the phase immediately preceding the attack. Given the particularly large number of servers in Italy, the likelihood of large-scale RCE attacks against national institutions and companies is very high. Vulnerability assessment tools and other tools are being uploaded to the security community.
Experts recommend emergency measures such as immediate patching, vulnerability scanning, log analysis, and updating WAF blocking policies.
The React team announced on the 3rd that they had urgently released a patch to address CVE-2025-55182, fixing a structural flaw in the RSC serialization protocol. However, due to the structural nature of React, which does not automatically update, vulnerabilities persist unless companies and development organizations manually update and recompile their versions .
Notably, Next.js-based services require a rebuild and deployment process after applying the React patch , meaning there will likely be a significant delay before the actual security patch is deployed to the service environment. Experts warn that “the patch has been released, but most servers are still at risk.”
Many Next.js applications run with RSC enabled by default, often without even the internal development teams knowing. This requires companies to carefully inspect their codebases for the use of server components and Server Actions. With large-scale scanning attempts already confirmed in several countries, including Korea, strengthening blocking policies is essential.
Furthermore, with the widespread deployment of automated React2Shell scanners and PoC codes worldwide, attackers are now performing mass scans of exposed servers. As a result, security experts have emphasized that organizations should immediately scan their domains, subdomains, and cloud instances using external attack surface assessment tools .
They also emphasized that if traces of DNSLog calls, an increase in unusual multipart POST requests, or large payloads sent to RSC endpoints are detected in internal logs, it is highly likely that an attack attempt has already occurred or a partial compromise has been achieved, requiring a rapid response.
Redazione