For GreyNoise Customers: A comprehensive IOC package with extended infrastructure, network fingerprints, and connected domains was sent directly to customers via email.

Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry from the past seven days shows that two IP addresses now account for 56% of all observed exploitation attempts, down from 1,083 unique sources.

The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP. Whether this represents two separate actors or compartmentalized infrastructure from a single actor remains unclear, but the behavioral distinction is notable.

Why This Matters

CVE-2025-55182 is a CVSS 10.0 pre-authentication remote code execution vulnerability with a public Metasploit module. Exploitation requires only a single HTTP POST request. The payloads GreyNoise observed on its sensors are not reconnaissance scans but active exploitation attempts deploying cryptominers and reverse shells. Organizations running unpatched React Server Components should assume they have been targeted.

Key Findings

  • Two IPs generated 56% of exploitation traffic over the past seven days (January 26 to February 2, 2026)
  • 193.142.147[.]209 accounted for 488,342 sessions (34%)
  • 87.121.84[.]24 accounted for 311,484 sessions (22%)
  • 1,083 unique source IPs observed during this period
  • Post-exploitation payloads include XMRig cryptominers and reverse shells on port 12323

Exploitation Activity

GreyNoise sensors recorded 1,419,718 exploitation attempts targeting CVE-2025-55182 over the seven-day observation period. The following table summarizes the dominant sources:

Source IP Sessions Share Post-Exploitation
193.142.147[.]209 488,342 34% Reverse shell (port 12323)
87.121.84[.]24 311,484 22% XMRig cryptominer

The remaining 44% of traffic was distributed across 1,081 other source IPs.

Post-Exploitation Behavior

The two dominant sources exhibit different post-exploitation patterns, suggesting different operational objectives.

Cryptomining operation (87.121.84[.]24): Successful exploitation triggers retrieval of an XMRig binary from staging servers at 205.185.127[.]97 and 176.65.132[.]224. GreyNoise captured both the dropper script and ELF binary on vulnerable honeypots. Both staging servers serve identical payloads.

Reverse shell operation (193.142.147[.]209): Successful exploitation opens a reverse shell directly to the scanner IP on port 12323 without using a staging server. This approach suggests interest in interactive access rather than automated resource extraction.

JA4H fingerprint analysis confirms different HTTP client implementations between the two sources. Full fingerprint data is available to GreyNoise customers.

Infrastructure Analysis

Pivoting on the cryptomining staging server revealed infrastructure with extended history. The primary staging server (205.185.127[.]97) has hosted attacker-controlled domains since at least 2020 according to SSL certificate records:

  • September 2020: mased[.]top subdomains
  • November 2021: mercarios[.]buzz
  • January 2022: bt2.radiology[.]link

WHOIS records show shared registrant information across these domains, with registration dates extending back to 2018.

Adjacent IP addresses in the same /24 as the scanner (87.121.84[.]25 and 87.121.84[.]45) are currently serving Mirai and Gafgyt variants targeting MIPS and ARM architectures, along with exploit scripts for consumer routers and DVRs.

Vulnerability Background

CVE-2025-55182 was disclosed on December 3, 2025 and affects React Server Components. The vulnerability carries a CVSS score of 10.0. The flaw exists in how serialized data is processed, allowing an attacker to send a malicious POST request that the server deserializes and executes without authentication or user interaction.

A Metasploit module was published shortly after disclosure, contributing to rapid exploitation uptake. GreyNoise first observed exploitation attempts on December 5, 2025.

Affected versions: React 19.0.0, 19.1.0 through 19.1.1, 19.2.0

Patched versions: React 19.0.1, 19.1.2, 19.2.1

Targeting Patterns

Port distribution indicates focus on development infrastructure:

Port Sessions Common Use
443 417,546 HTTPS
80 357,018 HTTP
3000 282,803 Default React development server
3001 99,248 Alternative development port
3002 66,771 Alternative development port
8080 47,018 Development and proxy servers

React development servers configured with --host 0.0.0.0 for network accessibility are particularly exposed when internet-facing.

Recommendations

Patch immediately. Upgrade to React 19.0.1, 19.1.2, or 19.2.1. If immediate patching is not possible, disable React Server Components.

Block known infrastructure. Add the following IPs to blocklists:

  • 193.142.147[.]209
  • 87.121.84[.]24
  • 205.185.127[.]97
  • 176.65.132[.]224

Hunt for historical connections. Review network logs for connections to these IPs since early December 2025.

Audit development infrastructure. Verify that React development servers are not exposed to the internet. The --host 0.0.0.0 flag should only be used on isolated networks.

Monitor for indicators. Watch for POST requests containing unusual Next-Action headers in web server logs.

VIEW REAL-TIME DATA

Additional IOCs including network fingerprints and HTTP signatures are available to GreyNoise customers.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account