React2Shell Vulnerability Exploited in the Wild, Analysts Warn
A critical vulnerability, known as React2Shell (CVE-2025-55182), has been discovered in React Server Components, affecting multiple React versions across the React 19 ecosystem. This pre-auth remote code execution weakness poses a significant threat to systems using the affected React versions.
The WXA Internet Abuse Signal Collective (WXA IASC) has launched a threat research series, titled “To Cache A Predator,” which aims to map attacker infrastructure and tactics related to CVE-2025-55182, also known as “React2Shell.” This series will provide valuable insights into the global telemetry, enrichment datasets, and honeypot observations associated with this vulnerability.
The first episode of the series highlights the rapid weaponization of the vulnerability after its public disclosure, persistent scanning of Next.js paths, and the concentration of infrastructure around a small set of high-leverage nodes. These findings indicate a coherent campaign, which defenders must be aware of to protect their systems.
Public advisories have warned that exploitation of the vulnerability is possible via crafted network requests that abuse the parsing of server-side component payloads. Defenders are urged to patch their systems quickly and monitor for exploitation attempts to prevent potential attacks.
Early visibility via Niihama
The WXA IASC’s Niihama honeypots detected exploitation attempts within approximately 20 hours of the public disclosure in early December 2025, providing early insights into the exploit mechanics and attacker fingerprinting. This rapid detection allowed for the gathering of valuable information on the attackers’ tactics, techniques, and procedures (TTPs).
Following the initial spike, Niihama continued to log steady React2Shell and Next.js-focused scanning through early February 2026, including probing of /_next/server and large-scale hunting across /_next/static/*. This sustained scanning activity indicates that attackers are still actively exploiting the vulnerability, and defenders must remain vigilant.
Analysis of WXA IASC NetFlow-derived telemetry revealed two Netherlands-hosted nodes as the core pivots of the campaign, with each interacting with millions of counterparties over the observation window. These nodes are likely playing a crucial role in the exploitation of the vulnerability, and their identification can help defenders to better protect their systems.
GreyNoise independently reported that the same two IPs (193.142.147[.]209 and 87.121.84[.]24) generated 56% of observed React2Shell exploitation traffic in a seven-day period (January 26 to February 2, 2026). During this time, GreyNoise sensors recorded 1,419,718 exploitation attempts targeting CVE-2025-55182, with 193.142.147[.]209 responsible for 488,342 sessions (34%) and 87.121.84[.]24 for 311,484 sessions (22%).
The WXA IASC attributes much of the high-fidelity React2Shell activity to a novel, single-operator toolkit dubbed ILOVEPOOP, operating across nine scanner nodes on multiple hosting providers. This toolkit is characterized by consistent headers and behavior, including the use of specific User-Agents, which suggests a reusable exploit stack rather than random probing.
Niihama also recorded follow-on hostile behavior (SMB/RDP/SSH/HTTP attacks and credential abuse) from IPs linked to the same exploit infrastructure, supporting an “early warning” interpretive frame. This indicates that infrastructure overlap plus behavior overlap can be a strong indicator of risk, even if compromise is not confirmed.
What defenders should do now
- Patch affected React/Next.js deployments tied to CVE-2025-55182 and validate that mitigations are actually deployed in production to prevent exploitation.
- Hunt in reverse proxy, WAF, and app logs for Server Actions–like POST patterns and suspicious Next.js internal headers (including the ILOVEPOOP canary IDs), then pivot to source IP, ASN, and hosting provider patterns to identify potential attackers.
- Treat these findings as evidence of hostile activity and scanning pressure; prioritize exposure reduction, least privilege, and rapid containment plans for internet-facing systems to minimize the risk of exploitation.