“`html
Two months after the announcement of CVE-2025-55182, exploitation attempts aimed at React Server Components have transitioned from extensive scanning to targeted, high-volume attack initiatives.
Data from GreyNoise recorded between January 26 and February 2, 2026, reveals that malicious actors are actively utilizing this significant vulnerability to implant cryptominers and gain sustained remote access.
Even though the aggregate of unique sources attempting exploitation hit 1,083, the traffic has notably consolidated. Two particular IP addresses accounted for 56% of all documented harmful sessions, pointing to automated, large-scale setups instead of manual probing.
Threat Landscape and Key Participants
The recognized attacks make use of the public Metasploit module for CVE-2025-55182, permitting pre-authentication remote code execution (RCE) through a single malicious HTTP POST request. The principal threat actors have divided their operational aims:
- The Cryptomining Initiative (87.121.84[.]24): A provider of 22% of traffic (311,484 sessions), this entity runs a retrieval script to fetch an XMRig binary from staging servers. This campaign relies on exterior infrastructure to store payloads.
- The Interactive Access Initiative (193.142.147[.]209): Contributing 34% of traffic (488,342 sessions), this entity completely bypasses staging servers. Instead, the payload establishes a reverse shell directly back to the scanner IP on port 12323, indicating a preference for interactive network pivots over automated resource extraction.
Thorough examination of the cryptomining infrastructure uncovers a background of malicious activities. The primary staging server, 205.185.127[.]97, has hosted domains under the control of attackers such as mased[.]top and mercarios[.]buzz since 2020.
Moreover, adjacent IP addresses within the same subnet (87.121.84[.]25 and 87.121.84[.]45) are presently disseminating Mirai and Gafgyt variants, implying this subnet serves as a refuge for botnet operators targeting both enterprise servers and consumer IoT devices.
Vulnerability Insights
CVE-2025-55182 is a deserialization vulnerability within React Server Components that holds a CVSS score of 10.0. It enables unauthenticated adversaries to execute arbitrary code by altering serialized data handled by the server.
| CVE ID | CVSS Score | Affected Software | Vulnerability Type |
|---|---|---|---|
| CVE-2025-55182 | 10.0 (Critical) | React Server Components | Insecure Deserialization |
Affected Versions:
- React 19.0.0
- React 19.1.0 through 19.1.1
- React 19.2.0
Patched Versions:
- React 19.0.1, 19.1.2, 19.2.1
Attackers are particularly focusing on development ports, likely seeking out misconfigured instances where developers have applied the --host 0.0.0.0 flag, unintentionally exposing the server to the public internet. The most frequently targeted ports include 443, 80, 3000, 3001, and 3002.
Security teams are strongly advised to promptly update to the latest React versions. If updating is infeasible, restrict network access to development ports and block the indicators listed below.
Indicators of Compromise (IOCs)
Network Indicators (IPv4)
| IP Address | Type | Association |
|---|---|---|
| 193.142.147[.]209 | Attacker Source | Reverse Shell / Interactive Access |
| 87.121.84[.]24 | Attacker Source | XMRig Cryptominer Dropper |
| 205.185.127[.]97 | Staging Server | Payload Hosting |
| 176.65.132[.]224 | Staging Server | Payload Hosting |
Network Artifacts
- Reverse Shell Port: TCP/12323
- Traffic Pattern: HTTP POST requests featuring unusual
Next-Actionheaders.
File Hash (SHA-256)
[Hash pending further analysis]– XMRig Binary (ELF) sourced from 205.185.127[.]97.
“`