Advisory ID: NCC-CSIRT-2025-030
Summary:
React Server Components (RSC) are a new paradigm in the React ecosystem that allows developers to render components exclusively on the server.
A critical remote-code-execution vulnerability known as React2Shell (CVE-2025-55182) in React Server Components and some frameworks like Next.js continues to be actively exploited by threat actors to deliver malware, including ZnDoor, a sophisticated remote access trojan targeting network-connected systems. The vulnerability enables attackers to execute arbitrary shell commands via specially crafted HTTP requests, leading to post-exploitation deployment of ZnDoor, which provides interactive shells, file operations, SOCKS5 proxy capability, system enumeration, and remote command execution. Attackers configure ZnDoor to maintain persistent connectivity to command-and-control infrastructure, making affected systems a potential foothold for further lateral movement or network compromise.
Damage/Probability: Critical/High
Indicators of Compromise (IoCs):
- Outbound HTTPS connections to known C2 hosts (e.g., api.qtss.cc:443).
- System processes bearing names that mimic legitimate daemons but running unexpected payloads.
- Persistent HTTP POST beaconing intervals (e.g., ~1 second).
- Unexpected shell sessions or files downloaded via /bin/sh commands from external servers (e.g., 45.76.155.14).
Product(s):
- React Server Components (RSC) and dependent frameworks such as React 19.x and Next.js 15.x/16.x used in server-side web applications
- Network-facing web servers and API endpoints running vulnerable server components
- Linux and Unix-based systems that serve React2Shell-enabled applications
Version(s):
React Server Components versions affected by CVE-2025-55182 (older releases of RSC before patched builds) and certain implementations of Next.js that incorporate the same vulnerable deserialization logic.
Platform(s):
Cloud, enterprise, and web-application hosting platforms running vulnerable React/Next.js server components; any Linux-based infrastructure serving affected applications
Description:
The React2Shell vulnerability (CVE-2025-55182) is a critical weakness in React Server Components and some dependent frameworks (e.g., Next.js) that enables unauthenticated remote code execution through unsafe handling of user-controlled input in server deserialization logic. This flaw allows attackers to execute arbitrary commands on web servers hosting vulnerable applications.
Security researchers (e.g., NTT Security, Palo Alto Networks Unit 42) have observed active exploitation of React2Shell to deliver the ZnDoor malware. ZnDoor is deployed via a shell command executed on a compromised host that fetches the payload from a remote server and immediately connects back to a command-and-control (C2) server over HTTPS. Once active, ZnDoor beacons every second, transmitting system attributes such as hostname, username, network configuration, and process identifiers to the attacker. Its command processing supports interactive shell access, file upload/download, directory listing, file removal, and SOCKS5 proxy initiation.
To evade detection, ZnDoor quietly disguises its process name to mimic legitimate system services and alters file timestamps to older dates, thwarting simple forensic analysis. It also respawns child processes to maintain execution if an initial instance fails or is terminated.
Threat Types:
- Exploitation of React2Shell (CVE-2025-55182), critical unauthenticated pre-auth RCE.
- Remote access trojan deployment (ZnDoor) with broad command capabilities.
- Network tunnelling and proxy abuse (SOCKS5 activation).
- Process disguise and forensic evasion techniques (spoofed process names, timestamp manipulation).
Impacts:
- Attackers can gain shell access to run commands, steal data, and alter files on compromised systems.
- ZnDoor enables proxying and tunnelling through infected hosts, aiding lateral movement and evasion.
- Persistent C2 beaconing ensures continuous attacker access and control.
- Masquerading and timestamp tampering hinder detection and forensic analysis.
- React2Shell exposes many internet-facing React-based applications to exploitation if unpatched.
Solutions:
NCC-CSIRT recommends the following mitigation steps:
- Patch React Server Components and Next.js to remediate the React2Shell vulnerability.
- Use WAFs and reverse proxies to block malformed or exploit-triggering HTTP requests.
- Enforce least privilege on web servers and restrict shell command execution.
- Isolate compromised hosts, conduct forensics, and rebuild from trusted images.
- Rotate exposed credentials and cryptographic keys after containment.
- Enable enhanced web and network logging to detect exploitation attempts.
- Ensure developers use only patched React and related dependencies.
- Prepare for rapid isolation and malware hunting using EDR tools.
- Patch vulnerable systems and block known React2Shell exploit signatures.
- Deploy WAF rules and monitor for unusual HTTPS POST beaconing.
- Integrate dependency scanning into CI/CD and production workflows.
References: