Outbreak Alert React2Shell Remote Code Execution Released: Dec 05, 2025 Updated: Apr 02, 2026 Download PDF » Share React2Shell RCE Vulnerability Attack Tags Critical Severity Watch Video React2Shell Remote Code Execution Video Share Subscribe Overview Analysis Solutions Threat Intelligence References Subscribe Overview Analysis Solutions Threat Intelligence References Critical Unauthenticated RCE in React Server Components Actively Exploited in the Wild React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction. Learn More » Common Vulnerabilities and Exposures CVE-2025-55182 CVE-2025-66478 Background Due to the widespread use of React and Next.js in production environments, organizations are strongly urged to apply patches immediately, enforce WAF protections on RSC/Flight endpoints, and conduct proactive threat hunting. CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following confirmed evidence of active exploitation. AWS Security has also reported exploitation activity originating from infrastructure historically linked to China state-nexus threat actors. Successful exploitation can lead to: - Full server compromise, including deployment of persistent backdoors - Credential harvesting and access to sensitive application data - Execution of arbitrary Node.js commands on the affected server - Lateral movement across connected systems and cloud environments Click here to analyze the Real-Time Threat Map Latest Development Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered. Organizations should review the vendor advisories for complete version details, mitigation steps, and updated guidance. FortiGuard customers are protected by multiple layers of defense against these exploits. Refer to the Solutions tab for for information. April 02, 2026: Cisco Talos disclosed a large-scale automated credential harvesting campaign carried out by a threat cluster we are tracking as ``UAT-10608.`` https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/ December 12, 2025: Multiple Threat Actors Exploit React2Shell: Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/ December 05, 2025: CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. December 05, 2025: FortiGuard Labs released a Threat Signal for React2Shell Remote Code Execution (RCE) Vulnerability. https://www.fortiguard.com/threat-signal-report/6281/react2shell-remote-code-execution-rce-vulnerability December 04, 2025: Lacework FortiCNAPP Protection update and response added for React & NextJS Remote Code Execution Vulnerability. https://community.fortinet.com/t5/Lacework/Technical-Tip-How-does-Lacework-FortiCNAPP-Protect-from-CVE-2025/ta-p/421658 December 04, 2025: AWS Security has observed exploitation activity originating from infrastructure historically linked to China-nexus threat actors, noting rapid mass exploitation of vulnerable internet-facing RSC/Next.js deployments. December 03, 2025: Security Advisory released by Next.js and fix was published to npm and the publicly disclosed as CVE-2025-55182. https://nextjs.org/blog/CVE-2025-66478 November 30, 2025: Meta security researchers confirmed and began working with the React team on a fix. November 29, 2025: Lachlan Davidson reported the security vulnerability via Meta Bug Bounty. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components FortiGuard Cybersecurity Framework Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services. PROTECT Lure Decoy VM AV AV (Pre-filter) IPS Web App Security Web & DNS Filter DETECT IOC Outbreak Detection Cloud Threat Detection RESPOND Automated Response Assisted Response Services RECOVER NOC/SOC Training End-User Training IDENTIFY Attack Surface Hardening Lure FortiDeceptor DB 20260211 Decoy VM FortiDeceptor DB 20260211 AV Detects known malware related to the Outbreak FortiADC DB 93.06352 FortiCASB DB 93.06352 FortiCWP DB 93.06352 FortiClient DB 93.06352 FortiGate DB 93.06352 FortiMail DB 93.06352 FortiProxy DB 93.06352 FortiSASE DB 93.06352 FortiWeb DB 93.06352 AV (Pre-filter) Detects known malware related to the Outbreak FortiEDR DB 93.06352 FortiNDR DB 93.06352 FortiSandbox DB 93.06352 IPS Detects and blocks attack attempts leveraging the vulnerability FortiADC DB 35.129 FortiGate DB 35.129 FortiNDR DB 35.129 FortiNDR Cloud DB 35.129 FortiProxy DB 35.129 FortiSASE DB 35.129 Web App Security Detects and blocks attack attempts leveraging the vulnerability FortiADC DB 1.00068 FortiWeb DB 0.00415 Web & DNS Filter FortiGate IOC FortiAnalyzer FortiCloud SOCaaS FortiSIEM FortiSOAR Outbreak Detection FortiAnalyzer DB 2.00087 FortiNDR Cloud FortiSIEM FortiSOAR Cloud Threat Detection FortiCNAPP Lacework Automated Response Services that can automaticlly respond to this outbreak. FortiXDR Assisted Response Services Experts to assist you with analysis, containment and response activities. Incident Response NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks. NSE Training Response Readiness End-User Training Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download and other forms of cyberattacks. Security Awareness & Training Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators. Security Rating Threat Intelligence Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities. ✖ References Sources of information in support and relation to this Outbreak and vendor. React Blog Learn More » Google Cloud Guidance Learn More » Next.js Advisory Learn More » AWS Security Blog Learn More » About FortiGuard Outbreak Alerts Learn More »