CVE-2025-55182
-
PCPJack credential stealer targets cloud systems and removes TeamPCP traces
Researchers said PCPJack is a new cloud-focused credential stealer that targets exposed services, removes TeamPCP-related artifacts and uses multiple exploits to spread across compromised environments.
-
Hackers use Next.js flaw to harvest credentials from 766 hosts, Cisco Talos says
Cisco Talos says hackers used a Next.js flaw to compromise at least 766 hosts and harvest credentials, keys and cloud secrets through an automated operation tied to UAT-10608.
-
Worm-driven TeamPCP campaign compromises cloud native infrastructure at scale
A worm-driven campaign by TeamPCP exploited exposed Docker, Kubernetes, Ray and React vulnerabilities around Dec 25, 2025 to build proxy and scanning infrastructure for data theft, extortion and cryptocurrency mining, researchers report.
-
RondoDox botnet exploited React2Shell to enroll IoT devices and web apps
A nine month campaign enrolled IoT devices and web applications into the RondoDox botnet by exploiting React2Shell. About 90,300 hosts remained vulnerable at the end of 2025. Researchers advise patching Next.js and segmenting IoT.
-
CISA sets Dec. 12 deadline to patch React2Shell RSC flaw amid widespread exploitation
CISA has set a December 12 deadline for federal agencies to patch the critical React2Shell RSC vulnerability CVE-2025-55182 after widespread exploitation was observed; security firms report rapid, opportunistic scans and attacks against Next.js and other internet-facing services.
-
North Korea-linked actors exploit React2Shell flaw to deploy EtherRAT using Ethereum-based C2
Sysdig reported that actors tied to North Korea exploited a critical React Server Components flaw to deploy EtherRAT, a Node.js-based remote access trojan that uses Ethereum smart contracts and RPC consensus for C2 resolution and multiple Linux persistence mechanisms.
-
Cloudflare says emergency React2Shell patch caused brief network outage
Cloudflare said an emergency change to its Web Application Firewall to mitigate the critical React2Shell vulnerability briefly made its network unavailable, causing widespread 500 errors. The React flaw can allow unauthenticated remote code execution and researchers report active exploitation and circulating proof-of-concept exploits.
-
Critical React Server Components flaw (React2shell) allows unauthenticated remote code execution; Next.js also affected
A critical deserialization flaw in React Server Components, tracked as CVE-2025-55182 and nicknamed React2shell, can allow unauthenticated remote code execution; related Next.js App Router releases are covered by CVE-2025-66478. Patches are available and vendors and security firms advise applying fixes and using WAFs or access restrictions.
