Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers warn that half of the exposed vulnerable instances remain unpatched as in-the-wild exploitation grows rapidly.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/react2shell-attacks-surge-50-victims\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims\"> <meta property=\"og:description\" content=\"Researchers warn that half of the exposed vulnerable instances remain unpatched as in-the-wild exploitation grows rapidly.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/react2shell-attacks-surge-50-victims\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-12-10T23:41:16+00:00\"> <meta property=\"article:modified_time\" content=\"2025-12-10T23:41:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg\"> <meta property=\"og:image:width\" content=\"2015\"> <meta property=\"og:image:height\" content=\"1488\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1764717474g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1764700876g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1763439630g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87123\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87123\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Freact2shell-attacks-surge-50-victims%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Freact2shell-attacks-surge-50-victims%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87123 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/react2shell-attacks-surge-50-victims\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.409200968523\">\n<div class=\"single-article__header-content\" readability=\"34.462311557789\">\n<p> Researchers warn that half of the exposed vulnerable instances remain unpatched as in-the-wild exploitation grows rapidly. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87123\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"473\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims.jpg?resize=640%2C473&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg 2015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=300,222 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=768,567 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=1024,756 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=1536,1134 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=600,443 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=228,168 228w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=456,337 456w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=914,675 914w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-2.jpg?resize=1142,843 1142w\" sizes=\"(max-width: 914px) 100vw, 914px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"72.846153846154\"><body readability=\"150.60581818182\"><\/p>\n<p>Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit <a href=\"https:\/\/cyberscoop.com\/attackers-exploit-react-server-vulnerability\/\">React2Shell<\/a>, a critical vulnerability <a href=\"https:\/\/cyberscoop.com\/react-server-vulnerability-critical-severity-security-update\/\">disclosed last week<\/a> in React Server Components.<\/p>\n<p>Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-55182\">CVE-2025-55182<\/a> to its <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/12\/05\/cisa-adds-one-known-exploited-vulnerability-catalog\">known exploited vulnerabilities catalog<\/a> last week.<\/p>\n<p>Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East. <\/p>\n<p>Evidence to back up widening concern about the defect is abundant, coming from many corners of the threat research community. Attackers of various types are flocking to the opportunity, including nation-state attackers, cybercriminals, botnets, and threat groups seeking to steal cryptocurrency and deploy cryptojacking malware.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Shadowserver scans concluded the scope of potential impact is much greater than previously thought. On Monday, the organization found <a href=\"https:\/\/dashboard.shadowserver.org\/statistics\/combined\/tree\/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&data_set=count&scale=log&auto_update=on\">more than 165,000 IPs and 644,000 domains<\/a> with vulnerable code placing those instances at risk of exploitation. Nearly two-thirds of those vulnerable instances are based in the United States.<\/p>\n<p>\u201cThis is a one click \u2014 game over \u2014 kind of vulnerability and corresponding exploit,\u201d Kelly Shortridge, chief product officer at Fastly, told CyberScoop. \u201cWe see it basically hitting everyone,\u201d she said, with attackers targeting any organization with valuable data, sensitive records or business-critical applications that can be stolen or knocked down for extortion efforts. <\/p>\n<p>\u201cSecurity teams are, surprisingly, not all taking this seriously. It\u2019s pretty uneven,\u201d and \u201csurprising to see that kind of dismissiveness from security teams,\u201d Shortridge said.<\/p>\n<p>Half of the public resources exposed to CVE-2025-55182 remain unpatched, and in-the-wild exploitation has expanded rapidly since early Tuesday, Alon Schindel, vice president of AI and threat research at Wiz, wrote in a <a href=\"https:\/\/www.linkedin.com\/posts\/activity-7404544875360108544---cY\/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAC2xvMBLPggh7Z3PC8i4V4yQ0JB56a2MlM\">LinkedIn post<\/a>. Wiz Research has observed more than 15 distinct intrusion clusters to date. <\/p>\n<p>Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, described this as a \u201cpatch-now situation\u201d as simultaneous exploitation is coming from across the entire threat landscape. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOur telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack. We\u2019re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups,\u201d he added.<\/p>\n<p>Unit 42 on Tuesday said it uncovered activity that overlaps with previous attacks attributed to the North Korea threat group it tracks as <a href=\"https:\/\/unit42.paloaltonetworks.com\/cve-2025-55182-react-and-cve-2025-66478-next\/\">Contagious Interview<\/a>, which has deployed malware on the devices of people seeking jobs in the tech industry. <\/p>\n<p>Researchers at the incident response firm found evidence of compromise across many sectors, including financial services, business services, higher education, technology, government, management consulting, media and entertainment, legal services, telecom and retail.<\/p>\n<p>Attempted attacks are also coming from China state-backed threat groups, according to Amazon and Unit 42. Amazon said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability\u2019s public disclosure.<\/p>\n<p>Attackers are pursuing sweeping potential impact because the vulnerability affects multiple React frameworks and bundlers that depend on React Server Components, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and possibly others. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>VulnCheck said it has observed <a href=\"https:\/\/www.vulncheck.com\/blog\/reacting-to-shells-react2shell-variants-ecosystem\">nearly 100 public proof-of-concepts<\/a> for the vulnerability, adding that most of the current variants target Next.js. <\/p>\n<p>GreyNoise said it has observed more than <a href=\"https:\/\/www.greynoise.io\/blog\/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far\">360 unique IP addresses<\/a> attempting to exploit the vulnerability, and roughly two-fifths of those malicious IPs contained active payload data revealing widespread attention from automated botnets to more capable attackers, the company said. <\/p>\n<p>The malware used in these attacks is broad, highlighting the myriad objectives and techniques afoot. Unit 42 said it has observed Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell malware. <\/p>\n<p>Some researchers are comparing the React defect to <a href=\"https:\/\/cyberscoop.com\/cisa-five-eyes-issue-guidance-meant-to-slow-log4shell-attacks\/\">Log4Shell<\/a>, an exploit in Apache Log4j\u2019s software library that drew widespread concern in 2021 that continues to bear a long-tail impact in the software supply chain. <\/p>\n<p>While React and Next.js aren\u2019t as widely deployed as Log4Shell, according to Shortridge, the potential impact is worse and the React vulnerability is easier to weaponize as well. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe delivery factor is the command-and-control channel, which means once they\u2019re in, it\u2019s going to be really difficult to spot them, and they\u2019re probably going to be able to blend into your normal traffic, and they\u2019ll be able to do whatever they want,\u201d she said. <\/p>\n<p>\u201cYou\u2019re probably not going to know that it\u2019s happened to you,\u201d Shortridge said. \u201cWe are seeing some companies that didn\u2019t think they were vulnerable are surprised to discover that, in fact, they are.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.9300643086817\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/react2shell-attacks-surge-50-victims\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5644,1209,282,78,452,5645,4357,281,1766,168,715,46,3353,256,2880,288,183,3610],"tags":[5646,668,286,86,454,5647,4359,285,1771,169,720,54,3357,262,2882,294,207,3613],"class_list":["post-8196","post","type-post","status-publish","format-standard","hentry","category-amazon-threat-intelligence","category-cisa","category-cybercrime","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-fastly","category-greynoise","category-hacking","category-known-exploited-vulnerabilities-kev","category-malware","category-palo-alto-networks","category-ransomware","category-rapid7","category-research","category-shadowserver","category-threats","category-unit-42","category-wiz","tag-amazon-threat-intelligence","tag-cisa","tag-cybercrime","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-fastly","tag-greynoise","tag-hacking","tag-known-exploited-vulnerabilities-kev","tag-malware","tag-palo-alto-networks","tag-ransomware","tag-rapid7","tag-research","tag-shadowserver","tag-threats","tag-unit-42","tag-wiz"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/amazon-threat-intelligence\/\" rel=\"category tag\">Amazon Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisa\/\" rel=\"category tag\">CISA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fastly\/\" rel=\"category tag\">Fastly<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/greynoise\/\" rel=\"category tag\">greynoise<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/known-exploited-vulnerabilities-kev\/\" rel=\"category tag\">known exploited vulnerabilities (KEV)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rapid7\/\" rel=\"category tag\">Rapid7<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shadowserver\/\" rel=\"category tag\">Shadowserver<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/wiz\/\" rel=\"category tag\">Wiz<\/a>","tag_info":"Wiz","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8196"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8196\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8196,"date":"2025-12-10T17:41:16","date_gmt":"2025-12-10T23:41:16","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87123"},"modified":"2025-12-10T17:41:16","modified_gmt":"2025-12-10T23:41:16","slug":"attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/12\/10\/attacks-pinned-to-critical-react2shell-defect-surge-surpass-50-confirmed-victims\/","title":{"rendered":"Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims"},"content":{"rendered":"