React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

React2Shell vulnerability CVE-2025-55182 is actively exploited to deploy Linux malware, run commands, and steal cloud credentials at scale.

The React2Shell vulnerability, tracked as CVE-2025-55182, is being actively exploited in the wild to deploy Linux backdoors, execute arbitrary commands, and steal cloud credentials at scale. This critical flaw allows attackers to gain remote code execution on vulnerable systems.

Security researchers have observed multiple threat actor groups leveraging this vulnerability to install various types of malware, including remote access trojans (RATs), cryptocurrency miners, and credential stealers. The attacks are targeting both on-premises Linux servers and cloud-based instances.

The exploitation campaigns are particularly focused on stealing cloud service provider credentials, including those for AWS, Azure, and Google Cloud Platform. Once credentials are obtained, attackers can move laterally within cloud environments, access sensitive data, and deploy additional malicious payloads.

Organizations using React-based applications should immediately apply available patches and implement additional security controls. The vulnerability affects multiple versions of React and related frameworks, making widespread exploitation possible across numerous applications and services.

Security teams are advised to monitor for unusual network traffic, unexpected process execution, and unauthorized credential access attempts. The active exploitation makes this vulnerability a high-priority concern for security operations centers worldwide.