Attackers exploit React2Shell vulnerability to target home CCTV, smart plugs, and TVs

Published: 10 December 2025
React2Shell vulnerability

A critical new flaw in React Server Components has unleashed a global wave of automated attacks hammering thousands of smart devices.

In the days following the disclosure of CVE-2025-55182 – a critical Node.js vulnerability now informally known as React2Shell – Bitdefender researchers observed an explosion of exploitation attempts.

The bug, labeled by developers as a “worst case scenario,” enables external attackers to run privileged, arbitrary code on servers without any authorization. While the React team urged updates, researchers identified 150,000 exploit attempts a day, many involving direct command injection.

ADVERTISEMENT

React2Shell is dangerously easy to automate, and botnet operators wasted no time folding it into their toolkits. The vulnerability offers a clean and direct path from a simple web request to high-impact system commands.

With a minimal payload size, no special obfuscation required, and broad applicability across Node.js ecosystems, React2Shell fits the exact profile of exploits that botnets rush to adopt.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Smart home telemetry gathered over the past month by Bitdefender researchers shows just how aggressively the vulnerability is being exploited in the wild.

Attackers mainly targeted smart home appliances and consumer electronics. A significant amount of React2Shell traffic originated from a single datacenter in Poland, with one IP address alone responsible for over 12,000 exploit events.

Additional probing originated from the US, the Netherlands, Ireland, France, Hong Kong, Singapore, China, Panama, and numerous other regions.

What devices have been targeted?

  • Smart plugs
  • Smartphones
  • NAS devices
  • IP cameras and surveillance systems
  • Routers
  • Development boards
  • Smart TVs and assorted consumer electronics
ADVERTISEMENT

Tens of thousands of servers at risk

Since the vulnerability was reported, multiple security researchers have warned that honeypots are detecting hundreds of already compromised Next.js devices. At the same time, tens of thousands of servers remain vulnerable to the critical flaw. The impact is huge as React and Next.js power millions of websites and SaaS platforms.

By the end of December 7th, nearly 29,000 publicly discoverable IPs were running exposed services vulnerable to React2Shell. The number of IPs has decreased from over 77,600 on December 5th.

Chinese hackers have already been exploiting the newly identified vulnerability, which affects React Server Components (RCS) that run on the server instead of the browser.

At the beginning of December, Cloudflare suffered a major service outage. The outage was caused by a faulty update by React to secure systems against the critical React2Shell vulnerability.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
DuckDuckGo AI hallucinates Trump's death after AI data poisoning campaign
Peppa Pig AI contract sparks fears over child actors signing away their voices
Microsoft increases Xbox prices again: “Never thought I'd see the day video games become an investment”
UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Microsoft extends Windows 10 update program as users refuse to upgrade
Australia tightens teen social media ban amid Reddit reports of easy bypassing
ADVERTISEMENT