Hackers Exploiting React Server Components Vulnerability in the Wild to Deploy Malicious Payloads
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Two months following the disclosure of CVE-2025-55182<\/a>, exploitation activity targeting React Server Components has evolved from broad scanning into consolidated, high-volume attack campaigns.<\/p>\n According to telemetry from GreyNoise collected between January 26 and February 2, 2026, threat actors are actively leveraging this critical vulnerability to deploy cryptominers and establish persistent remote access.<\/p>\n While the total number of unique sources attempting exploitation reached 1,083, traffic has heavily consolidated. Two specific IP addresses generated 56% of all observed malicious sessions, indicating automated, large-scale infrastructure rather than manual testing.<\/p>\n The observed attacks<\/a> utilize the public Metasploit module for CVE-2025-55182<\/a>, which allows for pre-authentication remote code execution (RCE) via a single malicious HTTP POST request. The dominant threat actors have bifurcated their operational objectives:<\/p>\n Deep analysis of the cryptomining infrastructure reveals a history of malicious activity. The primary staging server, 205.185.127[.]97, has hosted attacker-controlled domains such as Furthermore, adjacent IP addresses in the same subnet (87.121.84[.]25 and 87.121.84[.]45) are currently distributing Mirai and Gafgyt variants, suggesting this subnet is a haven for botnet operators targeting both enterprise servers and consumer IoT devices.<\/p>\n CVE-2025-55182<\/a> is a deserialization flaw in React Server Components that carries a CVSS score of 10.0. It allows unauthenticated attackers to execute arbitrary code by manipulating serialized data processed by the server.<\/p>\n Affected Versions:<\/strong><\/p>\n Patched Versions:<\/strong><\/p>\n Attackers are specifically targeting development ports, likely looking for misconfigured instances where developers have used the Security teams are urged to patch immediately to the latest React versions. If patching is not feasible, restrict network access to development ports and block the indicators listed below.<\/p>\n Network Indicators (IPv4)<\/strong><\/p>\n Network Artifacts<\/strong><\/p>\n File Hash (SHA-256)<\/strong><\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploiting React Server Components Vulnerability in the Wild to Deploy Malicious Payloads<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThreat Landscape and Dominant Actors<\/strong><\/h2>\n
\n
mased[.]top<\/code> and mercarios[.]buzz<\/code> since 2020.<\/p>\nVulnerability Details<\/strong><\/h2>\n
\n\n
\n \nCVE ID<\/th>\n CVSS Score<\/th>\n Affected Software<\/th>\n Vulnerability Type<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2025-55182<\/strong><\/td>\n 10.0 (Critical)<\/td>\n React Server Components<\/td>\n Insecure Deserialization<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n \n
\n
--host 0.0.0.0<\/code> flag, inadvertently exposing the server to the public internet. The most targeted ports include 443, 80, 3000, 3001, and 3002.<\/p>\nIndicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nIP Address<\/th>\n Type<\/th>\n Association<\/th>\n<\/tr>\n<\/thead>\n \n 193.142.147[.]209<\/td>\n Attacker Source<\/td>\n Reverse Shell \/ Interactive Access<\/td>\n<\/tr>\n \n 87.121.84[.]24<\/td>\n Attacker Source<\/td>\n XMRig Cryptominer Dropper<\/td>\n<\/tr>\n \n 205.185.127[.]97<\/td>\n Staging Server<\/td>\n Payload Hosting<\/td>\n<\/tr>\n \n 176.65.132[.]224<\/td>\n Staging Server<\/td>\n Payload Hosting<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n \n
Next-Action<\/code> headers.<\/li>\n<\/ul>\n\n
[Hash pending further analysis]<\/code> \u2013 XMRig Binary (ELF) retrieved from 205.185.127[.]97.<\/li>\n<\/ul>\n