If you've been treating React2Shell as a December problem that everyone patched and moved on from, the last couple of months are a reminder that the internet doesn't work that way.

React2Shell (CVE-2025-55182) was publicly disclosed on December 3, 2025 as a critical remote code execution issue in React Server Components, rated CVSS 10.0. The headline risk was simple and scary: in many real deployments, a single web request could be enough to reach server-side code execution, sometimes without authentication.

And because React and Next.js sit underneath an enormous chunk of modern web apps, the "patch window" quickly turned into a "scan window" for attackers.

The Shift We're Seeing: From Noisy Opportunists to Patient Recon

Early after disclosure, incident responders saw the predictable first wave: automated, high-volume exploitation. That's the spray-and-pray phase where attackers fire requests at anything that answers, hoping to drop cryptominers or botnet payloads. The automation can even be sloppy (for example, throwing Linux payloads at Windows hosts), which is exactly the kind of chaos you'd expect when speed matters more than precision.

But the more interesting development now is what comes after the initial stampede: the "grown-up" phase.

Recent reporting describes a newly observed toolkit (unfortunately named "ILovePoop") being used to probe tens of millions of IPs globally for React2Shell exposure—less like random drive-by exploitation and more like systematic mapping. The targeting patterns flagged include high-value sectors such as government, defense, finance, and industrial environments, especially in the US.

That doesn't automatically mean a compromise happened. Scanning is not the same thing as breaking in. But it's a classic lead indicator: reconnaissance today can be exploitation weeks later, once an operator decides which doors are worth trying.

Why React2Shell Is So Attractive to "Big Game" Threat Actors

Severe, widely deployed RCE bugs are rare gifts for attackers. The pattern is consistent:

React2Shell fits that pattern perfectly. It's high-impact, broad, and (in the right conditions) low-friction to exploit.

There's also evidence that exploitation started quickly after disclosure, and that multiple state-linked groups have been tied to activity around it, which raises the stakes from "annoying crypto miner" to "potential foothold for espionage or ransomware."

Post-Exploitation Is Getting Smarter, Not Quieter

Even if your team patched the front door, it's worth paying attention to what attackers have been doing when they do get in.

Responders have documented payloads and tooling that look built for resilience and staying power: Linux backdoors, reverse proxy tunneling, botnet variants, and implants that support interactive control and lateral movement.

One example highlighted by Huntress: a malware family they call PeerBlight, which uses BitTorrent DHT as a fallback command-and-control channel—an approach designed to survive traditional takedowns that focus on domains and centralized infrastructure.

This is the part many orgs underestimate. React2Shell isn't only about "can someone pop a server." It's about what happens next: persistence, pivoting, and quietly turning a web compromise into broader access.

Why Patching React2Shell Can Be Weirdly Hard in the Real World

On paper, this looks easy: update React / React Server Components packages (and often Next.js) to patched versions.

In real environments, patching becomes a scavenger hunt. A few reasons show up again and again:

1. Dependency visibility gaps in Next.js deployments

Next.js can bundle (vendor) parts of React in a way that can confuse standard dependency scanners. The result is uncomfortable: some orgs may not realize an exposed Next.js app is vulnerable unless they specifically check for React Server Components exposure and affected versions.

2. Modern deployment sprawl

Even when your "main" production app is patched, you may still have:

Those systems often stay online because "nothing broke," which is exactly why they're dangerous.

3. Early noise and confusion

Right after disclosure, the ecosystem often fills with fake proof-of-concepts, broken exploits, and contradictory posts. That can slow response because teams struggle to separate signal from noise. Meanwhile, real operators quietly build reliable chains and keep scanning.

What Defenders Should Do Now (Even If You Patched in December)

If you're responsible for React/Next.js environments, the priority is to treat this as an ongoing exposure-management problem, not a one-time patch event.

The Bigger Takeaway

React2Shell is a good example of how "a few months old" is not old at all in vulnerability time.

Once a bug has a reliable exploit path, attackers don't lose interest—they get organized. The opportunists come first, then the specialists show up with better tradecraft, better targeting, and more patience. The current wave of massive scanning and high-value recon is exactly what you'd expect from that second chapter.