{"id":59851,"date":"2025-12-15T19:35:00","date_gmt":"2025-12-15T19:35:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=144502"},"modified":"2025-12-15T19:35:00","modified_gmt":"2025-12-15T19:35:00","slug":"defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/","title":{"rendered":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components"},"content":{"rendered":"<p class=\"wp-block-paragraph\">CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request.<\/p>\n<p class=\"wp-block-paragraph\">Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.<\/p>\n<p class=\"wp-block-paragraph\">The&nbsp;React Server Components ecosystem&nbsp;is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React <a>accepts as<\/a> valid, leading to prototype pollution and remote code execution.<\/p>\n<p class=\"wp-block-paragraph\">This vulnerability presents a significant risk because of the following factors:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Default configurations are vulnerable, requiring no special setup or developer error.<\/li>\n<li class=\"wp-block-list-item\">Public proof-of-concept exploits are readily available with near-100% reliability.<\/li>\n<li class=\"wp-block-list-item\">Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.<\/li>\n<li class=\"wp-block-list-item\">The vulnerability could be exploited using a single malicious HTTP request.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, <a>detection<\/a> insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.<\/p>\n<h2 class=\"wp-block-heading\" id=\"analyzing-cve-2025-55182-exploitation-activity\">Analyzing CVE-2025-55182 exploitation activity<\/h2>\n<p class=\"wp-block-paragraph\">React is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.<\/p>\n<p class=\"wp-block-paragraph\">We identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp\" alt class=\"wp-image-144508 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp\"><figcaption class=\"wp-element-caption\">Figure 1: Attack diagram depicting activity leading to action on objectives<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Post-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified <em>authorized_keys<\/em> file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, <em>*.trycloudflare.com<\/em>) and used <a href=\"https:\/\/attack.mitre.org\/techniques\/T1564\/013\/\">bind mounts<\/a> to hide malicious processes and artifacts from system monitoring tools.<\/p>\n<p class=\"wp-block-paragraph\">The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.<\/p>\n<p class=\"wp-block-paragraph\">Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service\u2011account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure-2.webp\" alt class=\"wp-image-144509 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure-2.webp\"><figcaption class=\"wp-element-caption\">Figure 2: Example of reverse shell observed in one of the campaigns<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends customers to act on these mitigation recommendations:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Manual identification guidance<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Until full in-product coverage is available, you can manually assess exposure on servers or containers:<\/p>\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Navigate to your project directory and open the <em>node_modules<\/em> folder.<\/li>\n<li class=\"wp-block-list-item\">Review installed packages and look for:\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">react-server-dom-webpack<\/li>\n<li class=\"wp-block-list-item\">react-server-dom-parcel<\/li>\n<li class=\"wp-block-list-item\">react-server-dom-turbopack<\/li>\n<li class=\"wp-block-list-item\">next<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Validate versions against the known affected range:\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">React: 19.0.0,19.1.0, 19.1.1, 19.2.0<\/li>\n<li class=\"wp-block-list-item\">Next.js: 15.0.0 \u2013 15.0.4, 15.1.0 \u2013 15.1.8, 15.2.0 \u2013 15.2.5, 15.3.0 \u2013 15.3.5, 15.4.0 \u2013 15.4.7, 15.5.0 \u2013 15.5.6, 16.0.0 \u2013 16.0.6, 14.3.0-canary.77 and later canary releases<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.<\/li>\n<\/ol>\n<p class=\"wp-block-paragraph\"><strong>Mitigation best practices<\/strong><\/p>\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Patch immediately\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line):\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">React: 19.0.1, 19.1.2, 19.2.1<\/li>\n<li class=\"wp-block-list-item\">Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Prioritize exposed services\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Patch all affected systems, starting with internet-facing workloads.<\/li>\n<li class=\"wp-block-list-item\">Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Monitor for exploit activity\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.<\/li>\n<li class=\"wp-block-list-item\">Correlate endpoint, container, and cloud signals for higher confidence triage.<\/li>\n<li class=\"wp-block-list-item\">Invoke incident response process to address any related suspicious activity stemming from this vulnerability.<\/li>\n<\/ul>\n<\/li>\n<li class=\"wp-block-list-item\">Add WAF protections where appropriate\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azurenetworksecurityblog\/protect-against-react-rsc-cve-2025-55182-with-azure-web-application-firewall-waf\/4475291\">published rule guidance and JSON examples<\/a> in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p class=\"wp-block-paragraph\"><strong>Recommended customer action checklist<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Identify affected React Server Components packages in your applications and images.<\/li>\n<li class=\"wp-block-list-item\">Upgrade to patched versions. Refer to the <a href=\"https:\/\/react.dev\/blog\/2025\/12\/03\/critical-security-vulnerability-in-react-server-components\">React<\/a> page for patching guidance.<\/li>\n<li class=\"wp-block-list-item\">Prioritize internet-facing services for emergency change windows.<\/li>\n<li class=\"wp-block-list-item\">Enable and monitor Defender alerts tied to React Server Components exploitation attempts.<\/li>\n<li class=\"wp-block-list-item\">Apply <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azurenetworksecurityblog\/protect-against-react-rsc-cve-2025-55182-with-azure-web-application-firewall-waf\/4475291\">Azure WAF custom rules<\/a> as a compensating control where feasible.<\/li>\n<li class=\"wp-block-list-item\">Use MDVM to validate coverage and confirm risk reduction post-update.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"9.5\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"11\">\n<td>Initial Access \/Execution<\/td>\n<td>Suspicious process launched by Node &nbsp;<\/td>\n<td readability=\"7\"><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Possible exploitation of React Server Components vulnerability (2 detectors)<\/p>\n<p><strong>Microsoft Defender Antivirus<\/strong> <br \/>\u2013 HackTool:Linux\/SuspNodeActivity.A <br \/>\u2013 HackTool:Linux\/SuspNodeActivity.B <br \/>\u2013 Behavior:Linux\/SuspNodeActivity.B <br \/>\u2013 Trojan:JS\/CVE-2025-55182.A <br \/>\u2013 Trojan:VBS\/CVE-2025-55182.DA!MTB<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9.5\">\n<td>Execution &nbsp;<\/td>\n<td>Execution of suspicious commands initiated by the <em>next-server<\/em> parent process to probe for command execution capabilities.<\/td>\n<td readability=\"6\"><strong>Microsoft Defender for Cloud<\/strong> <br \/>\u2013 Potential React2Shell command injection detected on a Kubernetes cluster <br \/>\u2013 Potential React2Shell command injection detected on Azure App Service<\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Suspicious process executed by a network service <br \/>\u2013 Suspicious Node.js script execution <br \/>\u2013 Suspicious Node.js process behavior<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">In many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"16.5\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td>Execution<\/td>\n<td>Suspicious downloads, encoded execution, anomalous service\/process creation, and behaviors indicative of a reverse shell and crypto-mining<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Suspicious PowerShell download or encoded command execution <br \/>\u2013 Possible reverse shell <br \/>\u2013 Suspicious service launched <br \/>\u2013 Suspicious anonymous process created using memfd_create <br \/>\u2013 Possible cryptocurrency miner<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td>Defense Evasion<\/td>\n<td>Unauthorized code execution through process manipulation, abnormal DLL loading, and misuse of legitimate system tools<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 A process was injected with potentially malicious code <br \/>\u2013 An executable file loaded an unexpected DLL file <br \/>\u2013 Use of living-off-the-land binary to run malicious code<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Credential Access &nbsp;<\/td>\n<td>Unauthorized use of Kerberos tickets to impersonate accounts and gain unauthorized access<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Pass-the-ticket attack<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Credential Access<\/td>\n<td>Suspicious access to sensitive files such as cloud and GIT credentials<\/td>\n<td><strong>Microsoft Defender for Cloud<\/strong> <br \/>\u2013 Possible secret reconnaissance detected<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Lateral movement<\/td>\n<td>Attacker activity observed in multiple environments<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong> <br \/>\u2013 Hands-on-keyboard attack involving multiple devices<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"automatic-attack-disruption-through-microsoft-defender-for-endpoint-alerts\">Automatic attack disruption through Microsoft Defender for Endpoint alerts<\/h3>\n<p class=\"wp-block-paragraph\">To better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/automatic-attack-disruption\">automatic attack disruption<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">When these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-vulnerability-management-and-microsoft-defender-for-cloud\">Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:<\/p>\n<p class=\"wp-block-paragraph\">We are currently expanding detection for this vulnerability in Microsoft Defender Vulnerability Management (MDVM) on Windows, Linux, and macOS devices. In parallel, we recommend that you upgrade affected React Server Components and Next.js packages immediately to patched versions to reduce risk.<\/p>\n<p class=\"wp-block-paragraph\">Once detection is fully deployed, MDVM and Microsoft Defender for Cloud dashboards will surface:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Identification of exposed assets in the organization<\/li>\n<li class=\"wp-block-list-item\">Clear remediation guidance tied to your affected assets and workloads<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\">Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">prebuilt promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Incident investigation<\/li>\n<li class=\"wp-block-list-item\">Microsoft User analysis<\/li>\n<li class=\"wp-block-list-item\">Threat actor profile<\/li>\n<li class=\"wp-block-list-item\">Threat Intelligence 360 report based on MDTI article<\/li>\n<li class=\"wp-block-list-item\">Vulnerability impact assessment<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR threat analytics <\/p>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries-and-recommendations\">Hunting queries and recommendations<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Detect<\/strong><strong> potential React2Shell command injection attempt<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"24\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nCloudAuditEvents\n| where (ProcessCommandLine == \"\/bin\/sh -c (whoami)\" and (ParentProcessName == \"node\" or ParentProcessName has \"next-server\")) or (ProcessCommandLine has_any (\"echo\",\"powershell\") and ProcessCommandLine matches regex @'(echo\\s+\\$\\(\\(\\d+\\*\\d+\\)\\)|powershell\\s+-c\\s+\"\\d+\\*\\d+\")')\n| project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify encoded PowerShell attempts<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"48\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet lookback = 10d;\nDeviceProcessEvents\n| where Timestamp &gt;= ago(lookback)\n| where InitiatingProcessParentFileName has \"node\"\n| where InitiatingProcessCommandLine has_any (\"next start\", \"next-server\") or ProcessCommandLine has_any (\"next start\", \"next-server\")\n| summarize make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp\n\/\/looking for powershell activity\n| where set_ProcessCommandLine has_any (\"cmd.exe\",\"powershell\")\n| extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\"EncodedCommand \",1).[0]),'\"',0).[0]))),\"\\0\",\"\")\n| extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\"Enc \",1).[0]),'\"',0).[0]))),\"\\0\",\"\")\n| extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\"enc \",1).[0]),'\"',0).[0]))),\"\\0\",\"\")\n| extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],\"ec \",1).[0]),'\"',0).[0]))),\"\\0\",\"\")\n| where set_ProcessCommandLine !has \"'powershell -c \" | extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1, iff(isnotempty( decoded_powershell_2), decoded_powershell_2, iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))\n| project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3\n| where isnotempty( decoded_powershell)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify execution of suspicious commands initiated by the <em>next-server<\/em> parent process post-exploitation<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"46\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet lookback = 10d;\nDeviceProcessEvents\n| where Timestamp &gt;= ago(lookback)\n| where InitiatingProcessFileName =~ \"node.exe\" and InitiatingProcessCommandLine has \".js\"\n| where FileName =~ \"cmd.exe\"\n| where (ProcessCommandLine has_any (@\"\\next\\\", @\"\\npm\\npm\\node_modules\\\", \"\\\\server.js\") and (ProcessCommandLine has_any (\"powershell -c \\\"\", \"curl\", \"wget\", \"echo $\", \"ipconfig\", \"start msiexec\", \"whoami\", \"systeminfo\", \"$env:USERPROFILE\", \"net user\", \"net group\", \"localgroup administrators\", \"-ssh\", \"set-MpPreference\", \"add-MpPreference\", \"rundll32\", \"certutil\", \"regsvr32\", \"bitsadmin\", \"mshta\", \"msbuild\") or (ProcessCommandLine has \"powershell\" and (ProcessCommandLine has_any (\"Invoke-Expression\", \"DownloadString\", \"DownloadFile\", \"FromBase64String\", \"Start-Process\", \"System.IO.Compression\", \"System.IO.MemoryStream\", \"iex \", \"iex(\", \"Invoke-WebRequest\", \"iwr \", \".UploadFile\", \"System.Net.WebClient\") or ProcessCommandLine matches regex @\"[-\/\u2013][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\\s[A-Za-z0-9+\/=]{15,}\")))) or ProcessCommandLine matches regex @'cmd\\.exe\\s+\/d\\s+\/s\\s+\/c\\s+\"powershell\\s+-c\\s+\"[0-9]+\\*[0-9]+\"\"'\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify execution of suspicious commands initiated by the <em>next-server<\/em> parent process post-exploitation<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"28\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet lookback = 10d;\nDeviceProcessEvents\n| where Timestamp &gt;= ago(lookback)\n| where InitiatingProcessFileName == \"node\"\n| where InitiatingProcessCommandLine has_any (\" server.js\", \" start\", \"\/server.js\")\n| where ProcessCommandLine has_any (\"| sh\", \"openssl,\", \"\/dev\/tcp\/\", \"| bash\", \"|sh\", \"|bash\", \"bash,\", \"{sh,}\", \"SOCK_STREAM\", \"bash -i\", \"whoami\", \"| base64 -d\", \"chmod +x \/tmp\", \"chmod 777\")\n| where ProcessCommandLine !contains \"vscode\" and ProcessCommandLine !contains \"\/.claude\/\" and ProcessCommandLine !contains \"\/claude\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR\u2019s <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/investigate-incidents#blast-radius-analysis\"><strong>blast radius analysis<\/strong><\/a> capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization\u2019s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-cloud\">Microsoft Defender for Cloud<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled <em>Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182<\/em> and <em>Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182<\/em> are added to the gallery.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure3.webp\" alt class=\"wp-image-144511 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure3.webp\"><figcaption class=\"wp-element-caption\">Figure 3. Microsoft Defender for Cloud security explorer templates related to CVE-2025-55182<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-exposure-management\">Microsoft Security Exposure Management<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Security Exposure Management\u2019s automated <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-exposure-management\/work-attack-paths-overview\">attack path analysis<\/a> maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.<\/p>\n<p class=\"wp-block-paragraph\">To view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Kubernetes container<\/li>\n<li class=\"wp-block-list-item\">Virtual Machine<\/li>\n<li class=\"wp-block-list-item\">AWS EC2 instance<\/li>\n<li class=\"wp-block-list-item\">GCP compute instance.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Alternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Internet exposed container with high severity vulnerabilities<\/li>\n<li class=\"wp-block-list-item\">Internet exposed Azure VM with RCE vulnerabilities<\/li>\n<li class=\"wp-block-list-item\">Internet exposed GCP compute instance with RCE vulnerabilities<\/li>\n<li class=\"wp-block-list-item\">Internet exposed AWS EC2 instance with RCE vulnerabilities<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Detect network IP and domain indicators of compromise using ASIM<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"42\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"194.69.203.32\", \"162.215.170.26\", \"216.158.232.43\", \"196.251.100.191\", \"46.36.37.85\", \"92.246.87.48\"]);\nlet ioc_domains = dynamic([\"anywherehost.site\", \"xpertclient.net\", \"superminecraft.net.br\", \"overcome-pmc-conferencing-books.trycloudflare.com\", \"donaldjtrmp.anondns.net\", \"labubu.anondns.net\", \"krebsec.anondns.net\", \"hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\", \"ghostbin.axel.org\", \"194.69.203.32:81\", \"194.69.203.32:81\", \"194.69.203.32:81\", \"162.215.170.26:3000\", \"216.158.232.43:12000\", \"overcome-pmc-conferencing-books.trycloudflare.com\", \"donaldjtrmp.anondns.net:1488\", \"labubu.anondns.net:1488\", \"krebsec.anondns.net:2316\/dong\", \"hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\", \"ghostbin.axel.org\"]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect Web Sessions IP and file hash indicators of compromise using ASIM<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"36\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/IP list - _Im_WebSession\nlet lookback = 30d;\nlet ioc_ip_addr = dynamic([\"194.69.203.32\", \"162.215.170.26\", \"216.158.232.43\", \"196.251.100.191\", \"46.36.37.85\", \"92.246.87.48\"]);\nlet ioc_sha_hashes =dynamic([\"c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c\", \"9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331\", \"b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f\", \"d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f\", \"d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a\", \"d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d\", \"b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8\", \"4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d\", \"f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b\", \"661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1\", \"876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13\", \"2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457\", \"f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7\", \"7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5\"]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\n| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect domain and URL indicators of compromise using ASIM<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"29\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/ Domain list - _Im_WebSession\nlet ioc_domains = dynamic([\"anywherehost.site\", \"xpertclient.net\", \"superminecraft.net.br\", \"overcome-pmc-conferencing-books.trycloudflare.com\", \"donaldjtrmp.anondns.net\", \"labubu.anondns.net\", \"krebsec.anondns.net\", \"hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\", \"ghostbin.axel.org\", \"194.69.203.32:81\", \"194.69.203.32:81\", \"194.69.203.32:81\", \"162.215.170.26:3000\", \"216.158.232.43:12000\", \"overcome-pmc-conferencing-books.trycloudflare.com\", \"donaldjtrmp.anondns.net:1488\", \"labubu.anondns.net:1488\", \"krebsec.anondns.net:2316\/dong\", \"hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com\", \"ghostbin.axel.org\"]);\n_Im_WebSession (url_has_any = ioc_domains)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect files hashes indicators of compromise using ASIM<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"26\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\n\/\/ file hash list - imFileEvent\nlet ioc_sha_hashes = dynamic([\"c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c\", \"9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331\", \"b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f\", \"d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f\", \"d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a\", \"d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d\", \"b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8\", \"4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d\", \"f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b\", \"661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1\", \"876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13\", \"2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457\", \"f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7\", \"7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5\"]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or\nTargetFileSHA256 in (ioc_sha_hashes)\n| extend AccountName = tostring(split(User, @'')[1]), AccountNTDomain = tostring(split(User, @'')[0])\n| extend AlgorithmType = \"SHA256\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Find use of reverse shells<\/strong><\/p>\n<p class=\"wp-block-paragraph\">This query looks for potential reverse shell activity initiated by <em>cmd.exe<\/em> or <em>PowerShell<\/em>. It matches the use of reverse shells in this attack: <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/Microsoft%20365%20Defender\/Execution\/reverse-shell-nishang.yaml\">reverse-shell-nishang<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p class=\"wp-block-paragraph\">The list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"13\">\n<tr>\n<td>Indicator<\/td>\n<td>Type<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>c6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad <br \/>b568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560 <br \/>69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03 <br \/>68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df <br \/>717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2 <br \/>7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398 <br \/>7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171<\/td>\n<td>SHA-256<\/td>\n<td>Coin miner payload hashes<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>b33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8 <br \/>f0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b <br \/>59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700 <br \/>82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d <br \/>f0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf <br \/>317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e <br \/>0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a <br \/>9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083 <br \/>240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b <br \/>8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f <br \/>244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f<\/td>\n<td>SHA-256<\/td>\n<td>Backdoor payload hashes<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>hxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/colonna.arc <br \/>hxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/colonna.i686 <br \/>hxxp:\/\/194[.]69[.]203[.]32:81\/hiddenbink\/react.sh <br \/>hxxp:\/\/162[.]215[.]170[.]26:3000\/sex.sh <br \/>hxxp:\/\/216[.]158[.]232[.]43:12000\/sex.sh <br \/>hxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.arm4 <br \/>hxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.x86 <br \/>hxxp:\/\/196[.]251[.]100[.]191\/no_killer\/Exodus.x86_64 <br \/>hxxp:\/\/196[.]251[.]100[.]191\/update.sh <br \/>hxxp:\/\/anywherehost[.]site\/xms\/k1.sh <br \/>hxxp:\/\/anywherehost[.]site\/xms\/kill2.sh <br \/>hxxps:\/\/overcome-pmc-conferencing-books[.]trycloudflare[.]com\/p.png <br \/>hxxp:\/\/donaldjtrmp.anondns.net:1488\/labubu <br \/>hxxp:\/\/labubu[.]anondns[.]net:1488\/dong <br \/>hxxp:\/\/krebsec[.]anondns[.]net:2316\/dong <br \/>hxxps:\/\/hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com\/agent <br \/>hxxps:\/\/ghostbin[.]axel[.]org\/paste\/evwgo\/raw <br \/>hxxp:\/\/xpertclient[.]net:3000\/sex.sh <br \/>hxxp:\/\/superminecraft[.]net[.]br:3000\/sex.sh<\/td>\n<td>URLs<\/td>\n<td>Various payload download URLs<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>194.69.203[.]32 <br \/>162.215.170[.]26 <br \/>216.158.232[.]43 <br \/>196.251.100[.]191 <br \/>46.36.37[.]85 <br \/>92.246.87[.]48<\/td>\n<td>IP addresses<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>anywherehost[.]site <br \/>xpertclient[.]net <br \/>vps-zap812595-1[.]zap-srv[.]com <br \/>superminecraft[.]net[.]br <br \/>overcome-pmc-conferencing-books[.]trycloudflare[.]com <br \/>donaldjtrmp[.]anondns[.]net <br \/>labubu[.]anondns[.]net <br \/>krebsec[.]anondns[.]net <br \/>hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com <br \/>ghostbin[.]axel[.]org<\/td>\n<td>Domains<\/td>\n<td>C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more &nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">The guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/12\/15\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components and related frameworks.<br \/>\nThe post Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-59851","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-15T19:35:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components\",\"datePublished\":\"2025-12-15T19:35:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/\"},\"wordCount\":2910,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Figure1-attack-chain.webp\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/\",\"name\":\"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Figure1-attack-chain.webp\",\"datePublished\":\"2025-12-15T19:35:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Figure1-attack-chain.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/Figure1-attack-chain.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/","og_locale":"en_US","og_type":"article","og_title":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-12-15T19:35:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components","datePublished":"2025-12-15T19:35:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/"},"wordCount":2910,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/","url":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/","name":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp","datePublished":"2025-12-15T19:35:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/12\/Figure1-attack-chain.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59851"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59851\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}