When Appcrunk engineers began investigating a sudden production outage earlier this month, we did not expect to uncover a full-scale server breach, a botnet installation, and a multi-vector persistence attack leveraging the newly disclosed React Server Components Remote Code Execution vulnerability — CVE-2025-55182 (React2Shell) and its Next.js–specific exploit CVE-2025-66478.

This article serves as a complete technical walkthrough of:

How the compromise occurred

Indicators of compromise

Step-by-step remediation

Security controls implemented

What every React/Next.js engineering team should do immediately

We are sharing this publicly so that other organisations can detect, prevent, and patch similar attacks, especially given the speed at which this exploit is being weaponised globally.

1. Initial Symptom — A Sudden Production Outage

Our production application went offline unexpectedly.
Running PM2 list showed:

829+ restarts
EADDRINUSE: address already in use :::3000

Port 3000 was being hijacked.

A quick port inspection:

lsof -i :3000 netstat -tlnp | grep 3000

revealed a rogue Next.js server process not launched by PM2.
After terminating it, the service recovered—temporarily. The anomaly was suspicious enough to trigger a deeper forensic investigation.

2. Discovery of High-CPU Crypto Mining Activity

High CPU utilisation (180–360%) was observed on htop.
Running:

ps aux --sort=-%cpu | head -20

revealed a malware process masquerading under randomised names—ours was:

iOzMvcov — consuming ~192% CPU

This is a known indicator of the RondoDox botnet cryptominer, a variant linked to automated exploitation of the recent React vulnerabilities.

Suspicious process hunting:

ps aux | grep -E "python|perl|base64|/dev/tcp"

confirmed multiple injected payloads and shell loaders.

3. Persistence Mechanisms Detected

The attacker had installed multiple systemd services, disguising them as OS or web services:

lived.service – miner launcher

networkerd.service – reinfection engine

nginxd.service – fake nginx (actually malware binary)

system-updater-service.service – downloader + persistence

We also discovered cron jobs, malicious binaries in /dev, /tmp, /usr/bin, and infection markers such as:

.pwned files

C2 scripts named health.sh, stink.sh

Hidden miner configs in /dev/shm/

This was no lightweight exploit—this was a full botnet installation with multi-layer persistence.

4. Root Cause Analysis — CVE-2025-55182 & CVE-2025-66478

The attack came from a 0-day–level vulnerability disclosed only days earlier.

On December 3, 2025, researchers published CVE-2025-55182—a critical 10.0 CVSS RCE vulnerability in React Server Components (RSC).

On December 4, an exploit was published publicly.

Our timeline:

Our vulnerable packages:

React 19.1.0

Next.js 15.4.6

Both were confirmed exploitable.

The critical mistake: a development tool exposed on port 3001

A dev-only endpoint was unintentionally accessible from the public internet.
No firewall rule restricted access.

This single entry point granted attackers the ability to perform RCE (Remote Code Execution) through crafted Server Component payloads.

5. Malware Behaviour — What the RondoDox Botnet Did

1. Installed and executed an XMRig-based Monero cryptominer

Consumed nearly all CPU cores

Connected to mining pools across EU, RU, and Asia

Implemented process hiding using bind mounts over /proc

2. Deployed full persistence

systemd services

cron jobs for reinfection

init.d scripts

shadow binaries in /usr/bin/

3. Disabled security tools

Attackers removed or replaced:

curl wget iptables

to slow down remediation.

4. Credential Exposure (High Probability)

Due to standard attack patterns with this exploit, .env files and API keys were likely exfiltrated.

This forced us into a full credential rotation process.

6. Remediation: How We Cleaned and Secured the Server

Below is the exact IR (Incident Response) workflow Appcrunk followed.

Step 1: Kill All Malicious Processes

Step 2: Remove All Malicious systemd Services

Step 3: Delete Botnet Files and Binaries

Malware directories removed:

Infection markers removed:

Step 4: Restore Broken System Packages

Step 5: Firewall Hardening

We blocked C2 and mining IPs and enforced a default-deny firewall:

Step 6: VPN-Only SSH

SSH is now allowed only through Tailscale, preventing external brute-force or lateral movement.

Step 7: Patch React & Next.js Immediately

We upgraded to the safe versions:

React ≥ 19.0.1 / 19.1.2 / 19.2.1

Next.js ≥ patched 15.x / 16.x

Rebuilt production:

npm install next@latest react@latest react-dom@latest npm run build pm2 restart ap 

Step 8: Full Credential Rotation

We rotated:

DB passwords

JWT secrets

API keys (Supabase, Stripe, AWS, OAuth providers)

Webhook secrets

SMTP access

Everything stored in .env was considered compromised.

7. Cross-Research: Industry Reports Confirm Similar Attacks

While performing our analysis, we cross-validated with two major reports:

1. CodeBru Incident Report (RondoDox / CVE-2025-55182)

Confirms identical malware families, persistence techniques, and exploitation vector.

2. Reddit Incident (Next.js CVE-2025-66478 Exploit)

A user reported:

Docker container running as root

Malware named nginxs, apaches

Miner wallet configs under /c.json

Botnet size of ~415 infected servers

Earnings: only $4.26/day, showing attackers are focused on scale, not efficiency

These align with our findings—this exploit is actively being weaponised across the internet, often within 24–48 hours of patch releases.

8. Indicators of Compromise (IOCs)

Files

systemd services

IP addresses

193.24.123.68

37.114.37.82

86.48.26.26

205.185.126.196

Domains

ax29g9q123.anondns.net

9. Key Lessons

1. Never expose development tools publicly.

Port 3001 exposure enabled RCE.

2. Patch React/Next.js immediately.

CVE-2025-55182 was exploited worldwide within hours.

3. Do not run Docker containers as root.

This allowed attackers to infect the entire host.

4. Enforce a default-deny firewall policy.

Only explicitly whitelisted traffic should be allowed.

5. Use VPN-only access for SSH.

Eliminates a major attack surface.

6. After any breach, rotate all credentials.

Assume server-side secrets have been leaked.

10. Conclusion

The CVE-2025-55182 / 66478 vulnerability represents one of the most impactful exploits in the modern JavaScript ecosystem due to its reach across:

React Server Components

Next.js 13/14/15/16+

Frameworks built on RSC

Appcrunk’s engineering and security teams were able to restore integrity quickly due to:

Rapid incident detection

Structured forensic methodology

Strong DevOps discipline

Immediate patching and isolation

We strongly encourage every organisation to:

Audit their Next.js/React versions

Restrict development endpoints

Scan for IoCs

Rotate credentials

Harden Docker permissions

Enforce VPN-only server access

If your organisation needs help assessing exposure, conducting a compromise analysis, or securing your infrastructure, the Appcrunk Cyber Engineering division is available for direct support.

Stay Secure. Patch Fast. Monitor Continuously.

For security support or consultation, contact: https://appcrunk.com/