Threat Actors Hijack Web Traffic After Exploiting React2Shell Vulnerability: Report

The React2Shell flaw, catalogued as CVE‑2025‑55182, resides in the React 19 library’s server‑component rendering pipeline. By injecting malicious payloads into the component lifecycle, attackers can achieve arbitrary code execution on any server that runs an unpatched version of React. Although the vulnerability was disclosed late last year, exploitation has quickly moved from opportunistic cryptomining to more sophisticated intrusion chains. Security researchers note that the flaw’s low barrier to entry—combined with automated scanning tools—has made it a favorite entry point for threat actors seeking to compromise modern web stacks.

Once inside a compromised host, adversaries gravitate toward NGINX instances managed through the Boato Panel, a popular control interface in several Asian hosting environments. By rewriting NGINX configuration files, they can reroute legitimate requests to malicious landing pages, inject drive‑by download scripts, or harvest session cookies for credential theft. The recent Datadog analysis shows a concentration of attacks on domains ending in .in, .id, .pe, .bd, .edu, .gov and .th, as well as Chinese infrastructure, indicating a strategic focus on high‑visibility regional targets. This technique revives classic traffic‑hijacking tactics in an era of stronger user‑level authentication.

Mitigating React2Shell‑driven hijacks hinges on rigorous configuration management and prompt patch deployment. Organizations should enforce immutable baselines for NGINX config files, employ file‑integrity monitoring solutions, and regularly audit Boato Panel access controls. Keeping React libraries up to date eliminates the initial foothold, while subscribing to NGINX security advisories ensures rapid response to emerging exploits. As AI‑assisted scanning lowers the cost of discovering vulnerable servers, the onus falls on CSOs to integrate continuous vulnerability scanning into their DevSecOps pipelines. Proactive hardening not only protects traffic integrity but also preserves brand reputation in an increasingly hostile web ecosystem.