React2Shell: new critical vulnerability exploited against Russian companies

Attackers have attempted to distribute the XMRig cryptocurrency miner

January 20, 2026

The CVE‑2025‑55182 critical vulnerability (CVSS 10.0) was first described on December 4, 2025. Notably, within just one week of its public disclosure, threat actors launched attacks leveraging this flaw. They targeted three Russian organizations: an insurance provider, a retail chain specializing in automotive parts, and an IT firm engaged in software development for various sectors, including government. The BI.ZONE TDR team repelled all the three attack attempts. The average time to respond was 13 minutes.

All the attacks were conducted to deploy XMRig. This open‑source software is primarily used to mine Monero (XMR). It utilizes computational resources of the compromised system.

In one of the cases, the attackers also attempted to deploy the Kaiji and RustoBot botnets alongside the miner. Both botnets are designed to conduct DDoS attacks and proxy malicious traffic through infected systems. While Kaiji primarily compromises Linux servers and Internet of Things (IoT) devices, RustoBot specifically targets network TOTOLINK routers.

Even though many flaws never see real‑world exploitation, adversaries can weaponize critical vulnerabilities within days or, more often, hours. In such cases, just fixing a vulnerability is usually not enough: it is equally important to assess systems for indicators of both successful exploitation and post‑exploitation activity.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

React2Shell is a vulnerability in the Flight protocol, which facilitates client‑server communication for React Server Components. The vulnerability stems from insecure deserialization. The server accepts client data without proper verification. Under certain conditions, this can enable an attacker to execute arbitrary code on the server.