Security researchers at Akamai have identified active exploitation of a high-severity vulnerability in the popular ReactPHP library. The attacks, attributed to China-based threat actors, have been observed targeting organizations in the financial services and online gaming sectors.

The vulnerability, tracked as CVE-2025-55182 and nicknamed React2Shell, allows for remote command execution on affected servers, enabling attackers to deploy web shells and gain control over compromised systems.

Understanding the React2Shell Vulnerability

React2Shell is an OS command injection vulnerability affecting the BuiltinServer component of ReactPHP, a widely used PHP library for event-driven, non-blocking I/O with over 17 million downloads. The flaw was publicly disclosed by researchers from the Synopsys Cybersecurity Research Center. It allows an unauthenticated attacker to execute arbitrary commands on the underlying server if the vulnerable component is exposed to the internet. A patch was released by the project maintainers in reactphp/http version 1.9.0 to address the issue.

Exploitation Campaign and Attribution

According to a report from Akamai’s Security Intelligence Response Team (SIRT), exploitation attempts began when the attackers leverage the vulnerability to deliver a web shell payload. This is achieved by sending a specially crafted HTTP request containing a Base64-encoded payload. Once decoded on the server, this payload creates a PHP file that functions as a web shell, granting the attackers the ability to execute commands remotely.

Akamai has attributed these attacks to threat actors operating out of China. This attribution is based on the origin of the IP addresses used in the campaign and the observed tactics, techniques, and procedures (TTPs) of the attackers. The primary targets identified during this campaign were within the financial services and online gaming industries.

Source: https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/