React2Shell attacks: botnets now targeting home CCTV, smart devices, and servers worldwide

A critical vulnerability, React2Shell (CVE-2025-55182), has unleashed a global wave of automated cyberattacks, with botnets exploiting it to compromise smart home devices, servers, cameras, and routers using nothing more than a single crafted web request.

Bitdefender researchers observed over 150,000 exploit attempts per day following the disclosure of the flaw. React2Shell, impacting React Server Components, enables attackers to execute arbitrary privileged code on servers without authentication.

Thanks to its tiny payload, ease of automation, and deep integration across the Node.js ecosystem, botnet operators quickly absorbed the exploit. Attackers now scan global IP ranges and target any exposed device or service.

Significant malicious traffic originated from a Polish datacenter, with one IP alone responsible for 12,000 exploit events. Additional probing came from the US, France, the Netherlands, Ireland, Hong Kong, China, Singapore, and other regions.

Most targeted devices include:

• smart plugs

• smartphones

• NAS systems

• IP cameras and surveillance systems

• routers

• development boards

• smart TVs and other consumer electronics

Researchers warn that hundreds of compromised Next.js devices have already been identified, while tens of thousands of servers remain vulnerable.

As of December 7, nearly 29,000 publicly exposed IPs were still running services vulnerable to React2Shell (down from 77,600 two days earlier). Chinese threat actors have already weaponized the exploit in ongoing campaigns.

Even Cloudflare suffered a major outage due to a faulty React security update addressing the vulnerability.

React2Shell has been described as a “worst case scenario” flaw in React Server Components — a mechanism with direct server access. It marks a new class of attacks targeting server-side AI-assisted frameworks that rely on automated rendering pipelines.

React2Shell highlights how quickly a widespread framework can become an attack vector for global botnets. The scale of exploitation shows the urgent need to patch systems, secure exposed ports, and enforce least-privilege principles. Until updated, any device or server may be absorbed into a botnet with minimal effort from attackers.