Recent telemetry indicates that the threat scene surrounding the "React2Shell" vulnerability (CVE-2025-55182) remains active and is evolving in complexity. While the vulnerability was disclosed several months ago, data suggests that unauthorized groups are establishing infrastructure for long-term access. A specific, mature toolkit, identified in analysis as "ILovePoop"—is being used to probe tens of millions of Internet Protocol (IP) addresses globally.
Research from WhoisXML API indicates that this reconnaissance is highly targeted. The activity focuses on critical sectors including government, defense, finance, and industrial organizations, with a significant concentration of targets in the United States.
Evolution of Exploitation Tradecraft
The methodology used to identify and exploit React2Shell has shifted since the vulnerability’s disclosure. Anna Pham, a senior hunt and response analyst at Huntress, notes that the activity has developed in distinct layers.
"The initial wave was dominated by opportunistic, largely automated exploitation," Pham says. Early activity primarily involved "spray-and-pray" campaigns attempting to deploy cryptominers and botnet software. Huntress analysts observed Linux-specific binaries being deployed against Windows endpoints, indicating that early automation scripts lacked operating system differentiation.
However, the current phase of activity demonstrates increased precision. "The post-exploitation tradecraft has gotten more sophisticated over time," Pham observes. Security researchers have identified advanced persistence techniques, such as the PeerBlight botnet utilizing the BitTorrent Distributed Hash Table (DHT) for command and control (C2). This technique is designed to maintain resilience against traditional domain takedown efforts.
Despite the time elapsed since disclosure, the exposure surface remains significant. Tens of thousands of instances remain vulnerable, and React2Shell has been integrated into the toolsets of additional botnets and ransomware operations.
High-Value Targeting Profile
React2Shell (CVE-2025-55182) is a remote code execution (RCE) vulnerability in React Server Components, first disclosed on December 3, 2025. The flaw holds a CVSS score of 10.0 due to its severity: it allows unauthorized parties to gain full control of vulnerable web servers via a single web request, often without authentication.
The scale and nature of the vulnerability have attracted sophisticated actors. Following the initial disclosure, state-sponsored groups linked to China were observed exploiting the flaw in cloud and enterprise environments, followed by actors associated with Iran and North Korea.
Current analysis by WhoisXML API suggests that the group utilizing the "ILovePoop" toolkit may also be conducting state-sponsored espionage. The toolkit exhibits a high degree of complexity, and researchers hypothesize a distinction between the toolkit's developers and the operators deploying it.
The targeting profile supports this assessment. Network probes have been detected against more than 37,000 networks, including:
Government and Defense: NASA facilities, the Defense Information Systems Agency (DISA), and the Department of Defense Intelligence Information System.
State and Local Government: Systems belonging to the states of Vermont and North Carolina, and city governments in Phoenix, Boston, and San Diego.
Financial Services: Major institutions such as JPMorgan Chase, Goldman Sachs, the Bank of New York Mellon, and Santander US Capital Markets.
Corporate and Industrial: Major entities including Salesforce, Netflix, Visa, PayPal, Disney, and various energy sector utilities.
While network scanning does not constitute a compromise, it often serves as a precursor to intrusion. Telemetry data indicates a latency period; IP addresses associated with active React2Shell exploitation often appeared in reconnaissance logs approximately 45 days prior to the execution of exploits.
Addressing Visibility and Patching Challenges
Remediating React2Shell requires more than a standard update process due to the architecture of the affected frameworks.
A significant challenge involves dependency visibility within Next.js, a widely used React framework. "Next.js doesn't include React as a traditional dependency; it bundles it as a 'vendored' package," Pham explains. Consequently, standard software composition analysis (SCA) tools may not flag a Next.js installation as vulnerable to CVE-2025-55182. Security teams must actively verify the version of Next.js in use, rather than relying solely on automated dependency alerts.
Modern infrastructure complexity further complicates mitigation. Applications frequently run in containerized environments, shadow IT deployments, or legacy pipelines. "Internal tools... and legacy applications built on Next.js that nobody is actively maintaining but are still exposed to the internet all contribute to the long tail of unpatched systems," says Pham. Because React2Shell affects default configurations, even unconfigured or "blank" applications are at risk.
Compounding the issue, the initial disclosure period was marked by the circulation of non-functional proof-of-concept exploits. This may have led some teams to underestimate the reliability of the vulnerability. In practice, the genuine exploit is highly reliable and requires no authentication. React also issued follow-up updates to address additional findings shortly after the primary disclosure.
"This vulnerability has become a staple in multiple threat actors' playbooks, and I don't see exploitation slowing down anytime soon," Pham concludes. Organizations are advised to audit all Next.js and React Server Component instances. Including test and staging environments—and apply the latest patches immediately.