Anatomy of an Attack

React2Shell: Unauthenticated RCE

Why ExtraHop Sees the Attack Legacy Tools Miss

The security world is addressing a high-priority vulnerability with CVE-2025-55182 (React2Shell), a critical flaw in the React Server Components (RSC) Flight protocol. Within hours of public disclosure, Amazon threat intelligence teams observed active exploitation by multiple China nation-state groups, including Earth Lamia and Jackpot Panda.

The Threat: From Open Source Flaw to Critical Infrastructure Target

The core vulnerability stems from unsafe deserialization in the RSC Flight protocol. This design flaw allows attacker-controlled data to hijack server-side execution logic, giving them an instant shell on your server.

Serialization is the process of converting a complex object (like a function, a component tree, or a configuration map) in a programming language (like JavaScript/Node.js) into a flat data format, usually a string, so it can be transmitted over a network or saved to a file.

Deserialization is the reverse process: the server takes that flat string from the network and attempts to accurately reconstruct the original complex object inside the server's memory.

The Flaw: Insecure Deserialization happens when the RSC logic assumes the incoming serialized data, which is user-controlled via an HTTP request, is benign and correctly formatted. The RSC uses a custom protocol called Flight to handle this. The flaw lies in the lack of validation during this reconstruction process. Attackers manipulate the serialized string to include references that the server misinterprets, essentially telling the server to build a malicious object instead of the intended React component.

Two Critical Aspects of the CVE-2025-55182 Exploitation: The single insecure deserialization flaw presents two key concerns: the evolving threat landscape and the vulnerability's wide-ranging technical scope.

• Real-World Exploitation and the Evolving Threat Landscape: Nation-state groups were the first to immediately weaponize this flaw. Their primary objective was to gain persistent, high-value access to data. They used the vulnerability to establish a digital backdoor, which they actively tested and refined by executing reconnaissance commands like whoami and id to map out compromised systems. While initial exploitation was attributed to nation-state groups, the threat has continued to broaden, with widespread adoption of the exploit now predominantly observed among cybercrime organizations.
• Widespread Scope and Downstream Impact: The underlying design flaw is fundamental and poses a risk to a vast ecosystem. Any application built using the common create-next-app is potentially vulnerable. More broadly, the issue is not limited to specific frameworks but impacts any component or application that bundles React or supports RSC. This downstream impact significantly increases the attack surface. Censys observed over 2.15 million instances of internet facing services that may be affected by this vulnerability.

Post-Exploitation Tactics

Once attackers successfully exploit the React2Shell flaw, they can immediately move onto high-impact tactics including:

Cloud Credential Harvesting: Attackers gain control of the server and immediately begin searching for high-value secrets, such as API keys and login tokens for cloud services like AWS, which are often stored in the server's environment variables. They read these keys and then encode (like Base64) them to exfiltrate onto attacker controlled infrastructure. The goal is to obtain a "master key" that grants them persistent access to broader cloud infrastructure, long after the immediate web server vulnerability has been patched (MITRE ATT&CK T1555 / T1003).

Defense Evasion: Attackers also ensure they can operate without immediate detection by security monitoring tools. They run sophisticated, but very short, encoded commands (often based on Node.js) that execute simple tasks to confirm their access (a "Proof-of-Execution"). These brief, encrypted commands leave minimal forensic artifacts on the server itself, allowing the attackers to bypass the alerts generated by endpoint detection and response (EDR) before attempting to gain persistence or moving laterally through the compromised network (MITRE ATT&CK T1059).

Resource Hijacking: Since last week, cybercriminals involved with cryptomining have moved quickly to exploit the vulnerability. These cybercriminals use the server access to download and secretly install cryptocurrency mining software, such as XMRig. This malicious software forces the compromised web servers and, potentially, parts of your containerized infrastructure (like Kubernetes containers), to dedicate significant CPU power to mining. Coin mining leads directly to higher resource consumption, degraded service performance, and unexpected spikes in your cloud billing (MITRE ATT&CK T1496).

The ExtraHop Advantage: Decrypting the Exploit and Exposing the Shell

ExtraHop Network Detection and Response (NDR) provides the holistic visibility to intercept the React2Shell attack across its lifecycle. We catch the initial exploit and map the attacker's post-RCE activity, providing the high-fidelity alerts security teams need. We believe the NDR is the only defense that consistently captures the complete attack narrative.

EDR products struggle to catch the initial RCE attempt because the exploit happens within the application process memory itself, without dropping any file or generating logs. This technique makes the initial breach invisible to most host-based agents and leaves security teams with no host-based visibility.

Since the RCE exploit happens in memory and the attacker actively terminates EDR agents, network detection is essential. Data theft and C2 artifacts will always be visible on the wire.

The initial exploitation occurs via a malicious HTTP POST request sent over an encrypted HTTPS connection.

• Decrypt to See the RCE Attempt: For many organizations, decrypting this traffic requires an expensive, inline TLS terminating proxy, which creates bottlenecks and can slow down the applications they are trying to protect.
• We See the Payload: ExtraHop bypasses this standard bottleneck by leveraging out-of-band TLS session key forwarding from web servers like Nginx, Apache, or Node.js itself. This allows us to securely and passively decrypt and analyze the traffic at line rate (100 Gbps) without impacting application performance. By decoding over 90+ network protocols, we gain full visibility into the content hiding within the stream.
• We See the Execution: We analyze the decrypted traffic to immediately flag both the initial RCE attempt and subsequent post-exploitation activity, such as Node.js shell calls that execute commands or download secondary payloads.

Detecting the Behavioral Pivot

Once RCE is achieved, the network behavior of the web server changes significantly.

The Critical Distinction: Some attackers perform a silent, smash-and-grab, stealing only data located on the compromised server before exiting. In these cases, detecting the exploit payload itself (the initial MITRE ATT&CK T1190 event) is the only signal available to prevent a breach. Other attackers establish persistent communications channels, often using Command and Control (C&C) techniques (MITRE ATT&CK T1572).

ExtraHop’s detections address both the initial exploit and the follow-on pivot.

Detecting the Exploit: We use decryption and protocol analysis to flag the specific payload that breaches the server. This provides the single, high-fidelity alert that precedes all other attacker activity.

Detecting the Pivot (Post-Exploitation Anomalies): For attacks that continue, our platform recognizes these anomalous activities:

• Credential Theft: We alert on the unauthorized transfer of credentials, API keys, and Base64 encoded sensitive data, including attempts to read highly sensitive files like /etc/passwd. (MITRE ATT&CK T1555 / T1003).
• Resource Hijacking: We flag unusual, high-volume outbound network connections from the web server to known cryptocurrency mining pools (MITRE ATT&CK T1496).
• C&C Tunneling: We flag long-lived, low volume connections that signal persistent attacker access (MITRE ATT&CK T1572).
• Threat Hunting: Teams can use the network record to hunt for IP addresses associated with exploitation attempts.
  
  

React2Shell MITRE ATT&CK TTPs

The Critical Advantage with ExtraHop NDR

The rapid weaponization of React2Shell by nation-state groups confirms that time is the adversary's greatest asset. Patching is mandatory, but detecting the behavioral pivot on the network is your only reliable fail-safe when the patch window is narrow and the vulnerability is so easily exploited.

Ready to see how ExtraHop NDR gives your security team the critical advantage against threats like React2Shell?

• Request a Personalized Demo: See how ExtraHop detects the specific deserialization anomalies and post-exploitation command traffic associated with this CVE.
• Run a Security Assessment: Challenge the visibility of your current security stack with a complimentary NDR assessment.

Click HERE to schedule your demo and secure your environment against React2Shell.