Security researchers warn that hundreds of already compromised Next.js devices are hitting honeypots, while tens of thousands of servers remain vulnerable to the critical React vulnerability.
Eduardo Borges, a digital entrepreneur, shared a story on X of being hacked: a botnet was using his IP to attack others.
“My server wasn't serving my app anymore; it was mining crypto for someone else!” Borges said.
“It wasn't a random SSH brute force. It was inside my Next.js container. The malware was sophisticated. It renamed itself nginxs and apaches to look like web servers.”
Borges tracked the Monero address used by the attackers and discovered that there were 415 other active “zombies” in the botnet, earning approximately $4.26 on the first day of operation.
According to the ShadowServer Foundation, a nonprofit security organization, attacks from bot-compromised Next.js assets spiked last Friday, increasing from the usual 100 IP baseline to nearly 1,000.
“Like others, we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, including botnet-related activity,” said Piotr Kijewski, CEO at The Shadowserver Foundation.
Cybernews reported that Chinese hackers have already been exploiting the newly identified vulnerability, dubbed React2Shell. This flaw affects React Server Components (RCS) that run on the server instead of the browser. Unauthenticated attackers can abuse this flaw to run remote code.
Next.js is one of the many popular React frameworks. Currently, Next.js bots are the most active attacking devices tracked by Shadowserver. The number of compromised servers decreased over the weekend as administrators likely secured their systems.
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors: dashboard.shadowserver.org/statistics/h...
undefined The Shadowserver Foundation (@shadowserver.bsky.social) December 8, 2025 at 1:31 PM
[image or embed]
By the end of December 7th, nearly 29,000 publicly discoverable IPs were running exposed services vulnerable to React2Shell. The number of IPs has decreased from over 77,600 on December 5th.
Christoph Hartmann, CTO and Co-Founder at Mondoo, warns that the RCS flaw, which also affects Next.js, is extremely dangerous because attackers can trigger remote code without authentication, credentials, or special privileges.
“Since React and Next.js power millions of websites and SaaS platforms, and the vulnerability affects default configurations used in many deployments, the attack surface is massive. With no authentication required, exploitation is trivial, making these CVEs some of the highest-severity web framework vulnerabilities in recent years,” Hartmann said.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked