đ December 17, 2025â|ââ± 6 min readâ|âđ Category: Threat Intelligence
The gap between disclosure and damage keeps shrinking, and React2Shell (CVE-2025-55182) is the latest example. Within hours of its details becoming public, attackers began using it to break into internet-exposed React and Nextjs servers. In one December 5 incident observed by SâRM, a threat actor exploited the bug to gain initial access and, in less than a minute, disabled security controls and launched the Weaxor ransomware. By the time anyone noticed, files on the compromised Windows host were encrypted, renamed with the WEAX extension, and accompanied by ransom notes titled RECOVERY INFORMATION
At the core of this wave is an insecure deserialization issue in the React Server Components âFlightâ protocol. Crafted payloads let an adversary trigger JavaScript execution on the server without authentication, running with the privileges of the application process often the same account that can spawn system tools, write across data paths, and reach the internet. Because RSC and Flight sit inside widely deployed frameworks, the attack surface is both broad and, in many environments, directly tied to business-critical services.
Adoption has been fast and varied. Nation-state groups folded React2Shell into cyberespionage operations to plant footholds and collect on high-value hosts. Crimeware operators moved just as quickly, using it to deploy new remote access malware like EtherRAT or to spin up cryptominers on neglected servers. Ransomware affiliates followed the money, chaining a single HTTP exploit to immediate postâexploitation and encryption, with little interest in stealth or lateral movement when an exposed web server offers quick monetization.
The December 5 case shows how quickly the chain can unfold. Initial access came through a vulnerable RSC/Flight endpoint. Seconds later, an obfuscated PowerShell command executed and staged a Cobalt Strike beacon for command and control. Real-time protection in Microsoft Defender was then toggled off, and the Weaxor payload ran almost immediately after. The impact was tightly focused on the exposed host: files were encrypted and suffixed with WEAX, ransom notes appeared in affected directories, shadow copies were wiped to frustrate recovery, and event logs were cleared to hinder forensics. No lateral movement was observed in this environment. Tellingly, the same server was later compromised by other actors pushing different payloads, a sign of the intense scanning and competition around this vulnerability.
Weaxor itself is a study in opportunism. Emerging in late 2024 and widely assessed as a rebrand of Mallox/FARGO (also called TargetCompany), it targets public-facing servers with relatively simple tradecraft and modest ransom demands. Thereâs no leak site, and researchers have not found consistent signs of data theft before encryption. The business model is straightforward: hit one exposed system, encrypt fast, cash out, and move on.
For defenders, the lesson is that time-to-ransom can now be measured in seconds when server-side deserialization bugs hit popular stacks. Patching is essential, but it isnât a silver bullet. Systems that were compromised before updates will remain at risk until the breach is properly remediated, and the next bug could follow the same path unless the runtime is constrained. On Windows hosts that run React or Nextjs via Node, the first tell is often process ancestry: node spawning cmd or powershell in close proximity to unusual RSC requests. PowerShell script block logs that show obfuscation or web downloads, abrupt changes to Defender configuration, and anti-recovery commands such as vssadmin or wmic shadowcopy deletions often appear within the same minute. The moment encryption starts, youâll see bulk file renames, CPU and disk I/O spikes, and the rapid creation of RECOVERY INFORMATION. Network telemetry can help stitch the story together by revealing rare outbound connections originating from the application process just after exploit traffic.
Hardening should aim to prevent a single exploit from turning into full compromise. Apply updates that remediate CVE-2025-55182 across your React/Nextjs stack, and where patching lags, consider gating or temporarily disabling RSC/Flight features or placing the app behind strong access controls and allowlists. Run the Node service under a leastâprivileged account that cannot modify security settings or sensitive system paths. Use application control, such as Windows Defender Application Control or AppLocker, to block node from launching cmd, powershell, or untrusted binaries. Restrict outbound connectivity from application servers to the destinations your app truly needs, closing off easy commandâandâcontrol and tool staging. Turn on tamper protection for Microsoft Defender and alert on configuration changes so that attempted disabling is both blocked and visible. Improve visibility by enabling process creation logging and PowerShell script block logging and by centralizing web access logs and application telemetry so you can correlate specific requests with host activity. Finally, test your recovery posture: maintain offline or immutable backups, verify restores regularly, and restrict access to utilities that manage shadow copies.
If you suspect a hit, isolate the host immediately and preserve evidence before rebuilding. Memory capture, EDR timelines, key Windows event channels, web access logs, application logs, and the USN journal can all help confirm initial access, establish the timeline, and identify any secondary payloads. Patch the vulnerable pathway, rotate secrets and credentials stored on or accessible from the server including environment variables, config files, API keys, service accounts and rebuild from a trusted image rather than attempting inâplace cleanup. Even if you havenât seen lateral movement, expand scoping to adjacent systems and identities to catch failed attempts or credential harvesting.
The broader takeaway is that modern web infrastructure puts powerful runtimes at the edge, and when an attacker can feed those runtimes untrusted input, compromise can be nearly instantaneous. Defense in depth is what buys you time. If node canât spawn interpreters, if the host canât talk freely to the internet, and if tamper protection and logging are in place, a single HTTP exploit shouldnât end with a ransom note a minute later.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
