Security teams reported on Tuesday that they are addressing an increasing number of potential compromises linked to a critical vulnerability in React Server Components.
The extent of the crisis is broader than anticipated, with Shadowserver documenting over 165,000 IP addresses and 644,000 domains containing potentially vulnerable code following enhancements in scan targeting.
Palo Alto Networks informed Cybersecurity Dive that post-exploitation threat activity has been observed in more than 50 organizations across various sectors, including media, financial services, business services, technology, and government—federal, state, and local—as well as telecommunications.
The vulnerability, identified as CVE-2025-55182, enables unauthenticated attackers to execute remote code due to unsafe deserialization of payloads. In response, the Cybersecurity and Infrastructure Security Agency updated its advisory regarding this vulnerability, urging security teams to monitor for signs of compromise activity on any internet-accessible React instances after implementing mitigations. A patch to fix the flaw was released earlier.
As previously reported, state-linked actors from China, identified as Earth Lamia and Jackpot Panda, have targeted the vulnerability, according to AWS researchers. Furthermore, Palo Alto Networks noted an uptick in threat activity with the emergence of fake IT recruiters potentially associated with North Korea. This campaign, dubbed Contagious Interview, involves installing malware on job-seekers’ computers.
An adversary with ties to North Korea has employed a technique called EtherHiding to deliver malware and siphon cryptocurrency by exploiting public blockchains, as stated by Palo Alto Networks. Researchers have also identified the use of a Linux backdoor known as BPFDoor, which is associated with a China-linked group called Red Menshen.
On Monday, GreyNoise researchers reported 362 unique IP addresses targeting this vulnerability, revealing various attack methods, including remote script execution, reverse shell/downloader scripts, SSH persistence, and directory reconnaissance.
Source: cybersecuritydive Edited by Bernie
