Hackers Exploit React Server Components Vulnerability

High-volume attack campaigns are now actively exploiting React Server Components. This escalation, occurring two months after CVE-2025-55182’s disclosure, marks a definitive shift from earlier broad scanning efforts.

According to telemetry from GreyNoise collected between January 26 and February 2, 2026, threat actors are actively leveraging this critical vulnerability to deploy cryptominers and establish persistent remote access.

While the total number of unique sources attempting exploitation reached 1,083, traffic has heavily consolidated. Two specific IP addresses generated 56% of all observed malicious sessions, indicating automated, large-scale infrastructure rather than manual testing.

Threat Landscape and Dominant Actors

The observed attacks utilize the public Metasploit module for CVE-2025-55182, which allows for pre-authentication remote code execution (RCE) via a single malicious HTTP POST request. The dominant threat actors have bifurcated their operational objectives:

1. The Cryptomining Campaign (87.121.84[.]24): Responsible for 22% of traffic (311,484 sessions), this actor executes a retrieval script to download an XMRig binary from staging servers. This campaign relies on external infrastructure to host payloads.
2. The Interactive Access Campaign (193.142.147[.]209): Responsible for 34% of traffic (488,342 sessions), this actor bypasses staging servers entirely. Instead, the payload opens a reverse shell directly back to the scanner IP on port 12323, suggesting an intent for interactive network pivots rather than automated resource theft.

Deep analysis of the cryptomining infrastructure reveals a history of malicious activity. The primary staging server, 205.185.127[.]97, has hosted attacker-controlled domains such as mased[.]top and mercarios[.]buzz since 2020.

Furthermore, adjacent IP addresses in the same subnet (87.121.84[.]25 and 87.121.84[.]45) are currently distributing Mirai and Gafgyt variants, suggesting this subnet is a haven for botnet operators targeting both enterprise servers and consumer IoT devices.

Vulnerability Details

CVE-2025-55182 is a deserialization flaw in React Server Components that carries a CVSS score of 10.0. It allows unauthenticated attackers to execute arbitrary code by manipulating serialized data processed by the server.

Affected Versions:

• React 19.0.0
• React 19.1.0 through 19.1.1
• React 19.2.0

Patched Versions:

• React 19.0.1, 19.1.2, 19.2.1

Attackers are specifically targeting development ports, likely looking for misconfigured instances where developers have used the --host 0.0.0.0 flag, inadvertently exposing the server to the public internet. The most targeted ports include 443, 80, 3000, 3001, and 3002.

Security teams are urged to patch immediately to the latest React versions. If patching is not feasible, restrict network access to development ports and block the indicators listed below.

Indicators of Compromise (IOCs)

Network Indicators (IPv4)

Network Artifacts

• Reverse Shell Port: TCP/12323
• Traffic Pattern: HTTP POST requests containing unusual Next-Action headers.

File Hash (SHA-256)

• [Hash pending further analysis] – XMRig Binary (ELF) retrieved from 205.185.127[.]97.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.