When a critical remote code execution vulnerability in React Server Components surfaced on December 3, 2025, the subsequent exploitation wave targeted not only enterprise infrastructure but also the web-facing systems that serve as entry points to residential smart home networks. React2Shell, designated CVE-2025-55182, enables unauthenticated remote code execution against servers running React Server Components and frameworks such as Next.js, with over 77,000 internet-exposed IPs running vulnerable services potentially reachable from smart home environments.
The exploitation timeline compressed dramatically following disclosure, as a working public proof-of-concept exploit emerged on December 4, 2025, enabling trivial remote command execution on unpatched servers through a single malicious HTTP request exploiting unsafe deserialization in the React Flight protocol. Within hours of the PoC release, large-scale automated scanning and exploitation attempts surged, hitting internet-exposed services tied to smart home environments, prompting CISA to add the vulnerability to its Known Exploited Vulnerabilities catalog on December 5, 2025. Bitdefender subsequently reported more than 150,000 exploit attempts per day, indicating broad automated scanning for any reachable devices, including home infrastructure.
Within hours of public exploit code release, automated attacks surged to 150,000 attempts daily against internet-exposed systems and home networks.
Compromised web-facing systems are being used as pivots to scan for and attack connected devices inside smart home environments, with attack traffic originating from diverse global infrastructure, including large datacenters and known botnet nodes. Home routers, which serve as gateways to internal smart home devices, are frequently reached by attack traffic associated with React2Shell scanning, while surveillance cameras and NVR systems are regularly hit in broad IoT scans run from compromised infrastructure. Security experts note that Wyze cameras are particularly vulnerable to these attacks due to multiple firmware vulnerabilities that have been documented in previous security research.
Smart plugs, simple IoT appliances, smart TVs, and entertainment devices constitute common targets for follow-on malware deployment due to weak security and high availability, though numerous targets in telemetry remain unidentified device types, consistent with automated scans against any responsive IP and service. Attack sources attempting React2Shell exploitation also probe for older camera and router vulnerabilities, indicating the use of multi-exploit scanning tools.
Post-exploitation actions include reconnaissance commands to profile compromised hosts and connected networks, alongside attempts to steal cloud and AWS configuration and credential files, potentially exposing smart home cloud backends and associated user accounts. By late December 2025, Palo Alto Networks’ Unit 42 confirmed breaches at 30+ organizations, creating new footholds for lateral movement into associated home and small-office networks. Security researchers warned that ransomware deployment represents a likely downstream objective as threat actors consolidate access to compromised systems.
References
- https://www.cepro.com/news/react2shell-cyberattacks-put-connected-smart-home-devices-at-risk/624063/
- https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
- https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
- https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
- https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
- https://security.berkeley.edu/news/critical-vulnerabilities-react-and-nextjs
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-react-flight-TYw32Ddb
- https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerability-in-react-server-components-cve-2025-55182
- https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/
