CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 
Indicators of Compromise



URL														Web detection
45.134.174[.]235/2.sh												Detected as
45.134.174[.]235/solra												Disease vector hxxp://46[.]36[.]37[.]85:12000/sex[.]sh										C&C server
hxxp://115[.]42[.]60[.]223:61236/slt										Malware Accomplice
hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
hxxp://115[.]42[.]60[.]223:61236/slt
hxxp://156[.]234[.]209[.]103:20912/get[.]sh
hxxp://156[.]234[.]209[.]103:20913/get[.]sh
hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
hxxp://46[.]36[.]37[.]85:12000/sex[.]sh
hxxp://95[.]169[.]180[.]135:8443/pamssod
hxxp://res[.]qiqigece[.]top/nginx1
hxxp://146.88.129[.]138:5511/443nb64
hxxps://raw[.]githubusercontent[.]com/C3Pool/xmrig_setup/master/setup_c3pool_miner[.]sh
hxxps://sup001[.]oss-cn-hongkong[.]aliyuncs[.]com/123/python1[.]sh
reactcdn[.]windowserrorapis[.]com
res[.]qiqigece[.]top
hxxp://193[.]34[.]213[.]150/nuts/x
hxxp://193[.]34[.]213[.]150/nuts/lc
hxxp://193[.]34[.]213[.]150/nuts/x86
hxxp://23[.]132[.]164[.]54/bot
hxxp://139[.]59[.]59[.]33:9004/setup2[.]sh
hxxp://178[.]16[.]55[.]224:80/sh
hxxp://eleveratech[.]com:8080/healthcheck123[.]dll
hxxp://128[.]199[.]194[.]97:9003/setup2[.]sh
hxxps://gist[.]githubusercontent[.]com:443/demonic-agents/39e943f4de855e2aef12f34324cbf150/raw/e767e1cef1c35738689ba4df9c6f7f29a6afba1a/setup_c3pool_miner[.]sh
hxxp://eleveratech[.]com:8080/healthcheck[.]dll
hxxp://2[.]56[.]176[.]35:443/healthcheck[.]dll
hxxps://raw[.]githubusercontent[.]com:443/c3pool/xmrig_setup/master/setup_c3pool_miner[.]bat
hxxp://95[.]169[.]180[.]135
hxxps://api[.]hellknight[.]xyz/js
hxxp://59[.]7[.]217[.]245:7070/c[.]sh
hxxp://146[.]88[.]129[.]138:5511/443nb64
hxxp://help[.]093214[.]xyz:9731/fn32[.]sh
hxxp://192[.]210[.]160[.]141:80/
hxxp://114[.]46[.]135[.]44:80/
hxxp://38[.]162[.]112[.]141
hxxp://193[.]34[.]213[.]150/nuts/x86
hxxp://154[.]89[.]152[.]240/check[.]sh
hxxp://res[.]qiqigece[.]top/
hxxps://ivk[.]sh/nxt2
hxxp://45[.]134[.]174[.]235:443/a2[.]sh
hxxp://31[.]56[.]27[.]76/
hxxp://193[.]24[.]123[.]68:3001/
hxxp://217[.]60[.]249[.]228:8000/stx[.]sh
hxxp://89[.]144[.]31[.]18/nuts/x86
hxxp://171[.]252[.]32[.]135:7700
conclusion-ideas-cover-customise[.]trycloudflare[.]com
api[.]hellknight[.]xyz
gfxnick[.]emerald[.]usbx[.]me
proxy1[.]ip2worlds[.]vip
Api[.]qtss[.]cc
hxxp://78[.]153[.]140[.]16/kinsing
hxxp://78[.]153[.]140[.]16/kinsing_aarch64
hxxp://78[.]153[.]140[.]16/libsystem[.]so
hxxp://78[.]153[.]140[.]16/libsystem[.]so
hxxp://78[.]153[.]140[.]16/curl-amd64
hxxp://38[.]165[.]44[.]205/api
hxxp://78[.]153[.]140[.]16/curl-aarch64
hxxp://80[.]64[.]16[.]241/re[.]sh
hxxp://38[.]165[.]44[.]205/1
hxxp://78[.]153[.]140[.]16/kinsing_aarch64
hxxp://78[.]153[.]140[.]16/kinsing
154[.]89[.]152[.]240
hxxp://139[.]59[.]59[.]33:9004/setup2[.]sh
80[.]64[.]16[.]241
47[.]236[.]194[.]231
hxxp://38[.]165[.]44[.]205/1
216[.]238[.]68[.]16
hxxp://38[.]165[.]44[.]205/s
hxxp://193[.]34[.]213[.]150/nuts/bolts
45[.]153[.]34[.]172
hxxp://47[.]236[.]194[.]231:9001/setup2[.]sh
hxxp://128[.]199[.]194[.]97:9003/setup2[.]sh
hxxp://193[.]34[.]213[.]150/nuts/x86

-----------------------------------------------------------
-----------------------------------------------------------

Hash						File Detection
122334aefafbc5a82782ee1de1029b95b88ff278	Backdoor.Linux.COBEACON.SMYXDKV 
be9473e2a27d1828441ef78356e75908cf27eb68	Trojan.Linux.COINMINER.N        
95592fc55945b243ae518fb3379440517654b351	Trojan.Perl.IRCBOT.SMREAC.hp    
b66e7b8f153779ae8521248b502fcf5e5116b3af	Trojan.SH.DOWNLOADER.D          
6bd5c6af884d46638ebc60434cfd35b37c1d3dd4	Backdoor.Linux.REKOOBE.SMZKJJ-A 
3c92104b70ed063dc34419612742e08fc67a225d	Coinminer.SH.MALXMR.B           
1539b2eb380fdf7c5ddc7c017118a81cf82bf774	Trojan.Linux.SNOWLIGHT.AA       
e3dd33183ce13cbd184a7ebbe70edab97bb0f5cc	Trojan.Linux.SNOWLIGHT.AA       
8907872767c587733bdaa7d91dab2f9cb75d21e1	Trojan.Linux.SNOWLIGHT.AA       
5619b1c26a23919a2ea1e698ece953455da2fa95	Trojan.Linux.SNOWLIGHT.AA       
fa5ff1c91a108917db6d593238c84d2e78ad16de	Trojan.SH.DOWNLOADER.D          
ec24725661a1c3bf2fae0109b9e83f0342d23a79	Trojan.SH.DOWNLOADER.D          
1b5aba88ba7c4011d081b499ce6009df69e5dbcf	Backdoor.Linux.REVERSESHELL.A   
356754e7a570deb05dcd5b6f27b70cf5cb2d009f	Trojan.SH.SHELLOAD.B            
dc057522e04f37a6143cf6ce9b5d4a19aab8ef7a	Backdoor.Linux.MIRAI.L          
86d70f7ca27844ad22fc733cfbddc6d1fb4ccc2d	Trojan.SH.SHELLOAD.B            
59de54c4cb7ccc1602c90d8afe2efc071751d9ae	PUA.Linux.XMRig.L               
fdc0b9324aac30632432914277a28eee402557b5	HackTool.Linux.RemoteAdmin.B    
446bb6ba79c699c1f76cfa1624805af863502bee	Trojan.SH.SHELLOAD.B            
d04be880dd2dd2e8813edeb1fde4a73d680850d8	Trojan.SH.BITCOINMINER.AA       
259cb26c420dbf799ff52690e78e713f31f927f9	Trojan.SH.BITCOINMINER.AA       
c270d7ea30c43f37226d34d26ea4e3289a485a60	Coinminer.Linux.BITCOINMINER.C  
fc32155be390245e28815310f23558615894f59f	Backdoor.Perl.IRCBOT.B          
fa5ff1c91a108917db6d593238c84d2e78ad16de	Trojan.SH.DOWNLOADER.D
888c22017f8df53b04cc9f1bae4562e448b2881f	Backdoor.Linux.COBEACON.YXFLFZ
38c56b5e1489092b80c9908f04379e5a16876f01	Rootkit.Linux.KINSING.AA
122334aefafbc5a82782ee1de1029b95b88ff278	Backdoor.Linux.COBEACON.SMYXDKV
1b5aba88ba7c4011d081b499ce6009df69e5dbcf	Backdoor.Linux.REVERSESHELL.A
3ca62bccec20e358592c18fd2cd23e0818dfc6b0	Trojan.SH.CVE20207961.SM
ec24725661a1c3bf2fae0109b9e83f0342d23a79	Trojan.SH.DOWNLOADER.D

-----------------------------------------------------------
-----------------------------------------------------------

Trend Vision One™ Network Security
 
Observed Attack Techniques (OAT)
CVE-2025-55182 Rsc Nextjs RCE Exploit HTTP (Request) - Inbound
CVE-2025-55182 Rsc Nextjs RCE Exploit HTTP (Request) - Outbound 
 
Trend Vision One™ Endpoint Security
 
OAT Intrusion Prevention System (IPS)
React Server Remote Code Execution Vulnerability (CVE-2025-55182 and CVE-2025-66478) - 1 
React Server Remote Code Execution Vulnerability (CVE-2025-55182 and CVE-2025-66478) - 2 
 
Standard Endpoint Protection under Endpoint Security
 
FileScan
Trojan.SH.BITCOINMINER.SMREAC
Trojan.Perl.IRCBOT.SMREAC.hp
Trojan.SH.SHELLOAD.B
HackTool.Linux.RemoteAdmin.B
Backdoor.Linux.COBEACON.SMYXDKV
Trojan.SH.DOWNLOADER.D
Backdoor.Linux.MIRAI.L
PUA.Linux.XMRig.L
HackTool.Linux.RemoteAdmin.B
Coinminer.Linux.BITCOINMINER.C
Backdoor.Linux.REKOOBE.SMZKJJ-A
Trojan.Linux.DOWNLOADER.E
 
FileScan - TrendX
Troj.ELF.TRX.XXELFC1DFF058
Troj.ELF.TRX.XXELFC1DFF057
 
Behavior Monitoring
AG.PENT6301T - Node.js Spawns CMD with DLL Download Commands
AG.SEN6301S - Node.js Spawns CMD with DLL Download Commands
 
Fileless Scan
FLSourcing.AMSI.XMRDownloader.SMA - Detection of miner downloader
 
Trend Micro™ Deep Security™ IPS and Server and Workload Protection under Endpoint Security
DS 1012497 - React Server Remote Code Execution Vulnerability (CVE-2025-55182 and CVE-2025-66478) - 1
DS 1012494 - React Server Remote Code Execution Vulnerability (CVE-2025-55182 and CVE-2025-66478) - 2
 
Trend Micro™ TippingPoint™ Digital Vaccine
TP 46746 - HTTP: React Server Components Code Execution Vulnerability
TP 42590 - HTTP: Suspicious HTTP Request Containing NodeJS Command Execution
 
Trend Micro™ Deep Discovery™ Inspector
DDI 5595: CVE-2025-55182 - RSC NEXTJS RCE Exploit - HTTP(Request)
 
Trend Vision One™ Cyber Risk Exposure Management (CREM) Time Critical Vulnerability Alerts
TMVA1083 - Critical Security Vulnerability in React Server Components in Windows (CVE-2025-55182)