Zurück zum Blog

Folgen und abonnieren

Nur auf Englisch verfügbar

Diese Seite ist momentan nur auf Englisch verfügbar. Wir entschuldigen uns für die Unannehmlichkeiten. Bitte besuchen Sie diese Seite später noch einmal.

How React2Shell is evolving: Industries and regions targeted

Kelly Shortridge

Chief Product Officer, Fastly

SecurityBrancheneinblicke
Eine Abbildung eines Schildes mit Pfeilen und einem dahinter befindlichen Server

React2Shell continues to affect enterprises globally. Here’s what we’re seeing and what steps enterprises should take, including identifying and patching vulnerable apps immediately.

Fastly continued to see a high, sustained volume of React2Shell activity over the weekend across our global network since our last update on Friday, December 5. To help our customers and the broader community navigate this precarious situation with confidence, we’re sharing additional intelligence based on the industry and geographic trends we currently see.

Again, at this time, the most important fix is to identify and upgrade your React or Next.js applications that are vulnerable to CVE-2025-55182. Fastly’s security product suite, including our NGWAF and Bot Management products, can help provide you breathing room to patch, but are not a replacement for patching. If Fastly can help you navigate the patching process, please reach out to CVE-Alert@fastly.com.

Why React2Shell matters for enterprises

React2Shell reflects an exceptional “patch now” scenario because it is both easy for attackers to scale and easy for attackers to achieve their goal outcome. As I’ve stated previously, organizations should determine whether to care about a vulnerability by evaluating:

  1. How easy is the attack to automate and scale?

  2. How many steps away is the attack from the attacker’s goal outcome?

In React2Shell’s case, attackers can now leverage one of the many public proof of concepts available to weaponize the vulnerability at scale – easily automating the probe and subsequent exploitation without much effort. 

As a pre-authentication remote code execution vulnerability, React2Shell also gives attackers a “single step” means of gaining arbitrary control over a vulnerable application server. If your app server is vulnerable, attackers can exploit React2Shell and immediately achieve a kaleidoscope of calamity, from exfiltrating sensitive data, absconding with critical auth keys, modifying configuration files with self-serving logic, or running costly cryptominers. 

Simply put: this is an extraordinary vulnerability; attackers can trivially use React2Shell to disrupt revenue streams, breach customer data, and vandalize your OpEx efficiency. Given its ease of weaponization and potential business impact, enterprises should immediately prioritize patching.

Industries Targeted with React2Shell 

Fastly continues to see a wide swath of industries targeted in React2Shell activity – both probes/scans as well as exploitation attempts. At this time, we believe no industry remains untouched; cybercriminals seem to be pursuing an “economics of scale” approach, experimenting with exploitation broadly to enact their nefarious schemes. For example, we see some attackers sprinkle SQL injection (SQLi) in the `next-action` header – throwing variegated attack payloads everywhere to see what sticks. 

Fastly has documented React2Shell activity impacting industries including, but not limited to, those listed in the following infographic.

We also see some correlation between the most targeted industries and those most likely to possess sensitive financial data – or otherwise lucrative, confidential data – within their applications. 

Organizations that serve as platforms are among the most targeted according to our data – and these platforms are often vertical specific. Our hypothesis is that attackers view platforms as an especially remunerative target, as arbitrary control over platforms’ application servers can facilitate:

  • Stealing keys that facilitate access into other organization’s systems (since platforms serve, in many cases, tens of thousands of organizations)

  • Exfiltrating the platforms’ customer data (since application servers are the spigot through which customer data flows to and from the database)

  • Running cryptominers (like XMRig), as many platforms buy “beefier” servers given their scale

  • Modifying configuration files to allowlist attacker-controlled services and maintain access

  • And any other action that the attacker can monetize or otherwise use to complete their mission, given they now have complete control over the application server

To be clear, these actions equally apply to other industries and types of organizations, with varying degrees of n-order impact on the organization’s customers.

React2Shell Geographic Targets

Fastly also sees React2Shell activity across every sub-region our global network serves.

Different sub-regions seem to experience different probe and attack patterns; for example, some regions see WAF bypass attempts more frequently than others. Our hypothesis is that attackers may believe some sub-regions are less likely to maintain NGWAF or other proactive protections in front of their application servers, whereas, for example, it appears attackers assume most organizations based in the United States will have a WAF in place. 

We also see what appears to be the same attackers targeting multiple geographic regions. This reinforces our hypothesis that cybercriminals are leveraging React2Shell at scale, probing for any and all organizations who may have vulnerable application servers, regardless of their geolocation. 

At this time, it appears attackers do not attempt WAF bypasses at the same scale as more generic exploitation attempts; some sub-regions show bypass activity reflecting single digit percentages of all attack activity.

Our hypothesis is that attackers may want to preserve the ROI of their WAF bypasses, and thus only leverage those attempts when targeting specific organizations to avoid tipping off defenders and thus render the bypasses unviable. To wit, Fastly sees different JA4 signatures of attackers pursuing the high-scale “pan for gold” approach vs. attackers leveraging WAF bypasses.

Of course, Fastly is detecting these bypass attempts to generate this intelligence; we suspect our mitigation also drove the steep drop in bypass attempts we witnessed after attackers first tried to leverage them.

Conclusion

Our guidance remains consistent: identify and upgrade your React and Next.js applications as soon as possible, and apply proactive protections to preempt attack attempts. Fastly’s security product suite, including our NGWAF and Bot Management products, can help provide you breathing room to patch.

Fastly continues to see attackers evolve their probes, scans, and exploits as market dynamics fluctuate. Any organization with vulnerable apps – no matter the industry or region – should assume attackers are already probing them at a minimum, and likely trying to exploit them.  After patching, make sure to stay tuned in for further updates, as these types of high-ROI attacks tend to spawn additional variants and inspire vulnerability researchers to hunt other exploitable bugs in similar areas.

As always, our goal, and all organizations’ goal, should be to raise the cost of attack to befoul the ROI of cybercriminals and nation states alike. Reach out to Fastly at CVE-Alert@fastly.com if we can help you navigate the process of patching or protecting your applications.

© Fastly 2025