Two weeks after news broke of a critical vulnerability in the React framework, exploitation attempts continue to mount at industrial scale.
Cloudflare is seeing over 14 million attack attempts an hour, the Zero Day Initiative is tracking 145 unique exploit types, and Microsoft has admitted it is still scrambling to provide “stronger protection measures,” whilst guiding customers to “manually assess exposure on servers or containers…”
(As of December 8, the Shadowserver Foundation said it saw 644,000 domains with vulnerable code on them, after running massive scans.)
Servers are being targeted too: The ZDI said that it has seen attackers deploy the Sliver C2 payload to Linux hosts and work to ensure persistence – Palo Alto Networks said this has included deployment of novel malware.
(Redmond’s “Defender” team said on Monday that they are working to expand detections to “identify and alert on CVE-2025-55182 activity across all operating systems”and trying to add detections for Microsoft Defender Vulnerability Management on Windows, Linux, and macOS devices…”)
“High impact, low friction” exploits
Exploitation of the CVSS 10 vulnerability, allocated CVE-2025-55182 and dubbed React2Shell, gives hackers a “high-impact, low-friction attack path” said Microsoft’s Defender security research team in a January 15 blog.
(The actual exploit path has been well documented here, here, here, here.)
Redmond is seeing attackers target cloud credentials, they added, including “Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets.
“Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed,” Microsoft added, saying Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.
That chimes with what the ZDI’s Peter Girnus said he is seeing, including TruffleHog to “auto-steal cloud creds from compromised hosts” – and that web access firewalls (WAF) rules were being trivially bypassed in attacks.
“Heads up,” he added: “Blocking __proto__ in WAFs won't cut it.
“The core exploit doesn't need it.”
The single most important thing, the Defender team noted, is to “patch immediately”: Organisations should be looking to upgrade to one of the following patched versions (or later within the same release line):
- React: 19.0.1, 19.1.2, 19.2.1
- Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Large numbers of frameworks and bundlers rely on the packages, so framework-level updates also need to pull in the corrected dependencies.
Sign up for The Stack
Interviews, insight, intelligence, and exclusive events for digital leaders.
No spam. Unsubscribe anytime.
The link has been copied!
