Ransomware Attacks Exploit Critical React2Shell Vulnerability
Full Transcript
A ransomware gang exploited the critical React2Shell vulnerability, designated as CVE-2025-55182, to gain initial access to corporate networks, deploying file-encrypting malware in less than a minute. React2Shell is an insecure deserialization issue in the React Server Components 'Flight' protocol used by the React library and the Next.js framework, allowing remote exploitation without authentication to execute JavaScript in the server's context.
Within hours of its disclosure, nation-state hackers began exploiting it for cyberespionage or deploying new EtherRAT malware, while cybercriminals used it for cryptocurrency mining attacks. On December 5, 2025, researchers from S-RM observed the React2Shell vulnerability being used in an attack employing the Weaxor ransomware strain.
Weaxor, which emerged in late 2024, is believed to be a rebrand of the Mallox/FARGO operation, focusing on compromising MS-SQL servers. Characterized as a less sophisticated operation, Weaxor targets public-facing servers with opportunistic attacks and demands relatively low ransoms without a data leak portal for double extortion or data exfiltration prior to encryption.
The S-RM researchers noted that the threat actor deployed the encryptor shortly after gaining access through React2Shell, indicating an automated attack. However, there was no evidence found in the compromised environment to support this theory.
The hackers executed an obfuscated PowerShell command to deploy a Cobalt Strike beacon for command and control communication, disabled real-time protection in Windows Defender, and launched the ransomware payload, all within a minute of the initial access.
The attack was limited to the endpoint vulnerable to React2Shell, with no signs of lateral movement detected. After encryption, files were marked with the '.WEAX' extension, and each impacted directory contained a ransom note named 'RECOVERY INFORMATION.txt' with payment instructions.
Weaxor also wiped volume shadow copies to hinder restoration efforts and cleared event logs to complicate forensic analysis. Furthermore, the same host was later compromised by other attackers using different payloads, highlighting the prevalence of malicious activities surrounding React2Shell.
S-RM recommends system administrators review Windows event logs and EDR telemetry for signs of process creation from binaries related to Node or React. They emphasize that patching alone is insufficient, advising vigilance for process spawning of cmd.exe or powershell.exe from node.exe as strong indicators of React2Shell exploitation, in addition to unusual outbound connections, disabled security measures, log clearing, and resource spikes requiring thorough investigation.