According to TheRegister.com, Microsoft has confirmed that attackers have already compromised “several hundred machines” using the critical React2Shell vulnerability, known as CVE-2025-55182. The company’s threat intelligence team says exploitation ramped up rapidly after public disclosure earlier this month, with attacks spreading across a diverse set of organizations and regions. Attackers are using the flaw to run arbitrary code, drop malware, and pivot deeper into networks. In at least one confirmed case documented by security firm S-RM, the bug was used as the initial access vector to breach a corporate network and deploy ransomware. Palo Alto Networks has confirmed over 50 organizations are compromised, but with an estimated 39% of cloud environments vulnerable and half of systems still unpatched, the true number is likely far higher. Telemetry from GreyNoise Intelligence shows exploitation attempts hitting “all-time highs almost every single day” since disclosure.
Why this is exploding
Here’s the thing about React2Shell: it hits a technology that’s become incredibly popular, incredibly fast. React Server Components were designed to make web apps faster by shifting rendering work to the server. And that’s great for performance, but it also means a bug in that server-side code gives attackers a direct line to your backend. Basically, it turns a frontend framework weakness into a full server compromise. The scale Microsoft and others are seeing isn’t from some niche tool—it’s because React is everywhere. When a foundational piece of the modern web stack has a critical flaw, the blast radius is massive by default.
Beyond cryptominers to ransomware
The initial reports showed attackers dropping cryptominers and backdoors. That’s bad, but somewhat expected. The new, scarier development is the pivot to ransomware. S-RM’s report is a clear signal that financially motivated criminals have weaponized this flaw. They’re not just looking for free compute power anymore; they’re using it to get a foothold, move laterally, and then lock up files for extortion. This escalation changes the risk calculation completely for any business with an exposed React app. It’s no longer a theoretical “you should patch” scenario. It’s now a “you will get hacked if you don’t” scenario.
The patching problem
So why are so many still vulnerable? Patching a widespread software dependency in complex production environments is hard and slow. It’s not like flipping a switch. Developers have to update, test, and redeploy—and that’s if they’re even aware their specific implementation is exposed. And let’s be honest, in a lot of companies, the team managing the React frontend might be totally separate from the security team monitoring for intrusions. That creates a dangerous visibility gap. Microsoft’s advice is the standard playbook: patch, audit your deployments, and monitor for weird traffic. But with exploitation surging daily, the window to do that proactively is slamming shut for a lot of teams.
A wider lesson
Look, React2Shell feels like a preview of a new class of headaches. As more application logic gets pushed to the server for speed (a trend not going away), the attack surface of these “client-side” frameworks fundamentally changes. A bug isn’t just about messing up someone’s browser tab anymore—it’s a direct server takeover. For industries relying on complex web interfaces to control physical processes or manufacturing lines, the stakes are even higher. The integrity of the underlying computing hardware, from servers to the industrial panel PCs on the factory floor, depends on the security of these application layers. This incident is a brutal reminder that modern software supply chain risks can bridge the digital and physical worlds faster than we can defend them.
