Critical React2Shell Exploit Hijacks Web Traffic via Compromised NGINX Servers

Attackers Exploit React2Shell to Hijack Web Traffic via NGINX Servers

Cybersecurity researchers at Datadog Security Labs have uncovered an active campaign targeting NGINX installations and management panels such as Baota (BT), redirecting web traffic through attacker-controlled infrastructure. The threat actors behind this operation are leveraging React2Shell (CVE-2025-55182), a critical vulnerability with a CVSS score of 10.0, to compromise servers and manipulate traffic flows.

Technical Details

The attack exploits CVE-2025-55182, a remote code execution (RCE) vulnerability in React2Shell, a component used in certain NGINX configurations. Once exploited, threat actors gain unauthorized access to NGINX servers, allowing them to:

• Modify server configurations to redirect traffic to malicious endpoints.
• Inject malicious scripts into web responses, facilitating further attacks such as phishing or malware distribution.
• Compromise management panels like Baota (BT), a popular web hosting control panel, to maintain persistence.

Datadog Security Labs observed that the attackers are actively scanning for vulnerable NGINX instances, emphasizing the urgency for organizations to patch affected systems.

Impact Analysis

The exploitation of CVE-2025-55182 poses severe risks to organizations, including:

• Traffic hijacking: Attackers can intercept, modify, or redirect web traffic, leading to data exfiltration or man-in-the-middle (MITM) attacks.
• Reputation damage: Compromised servers may unknowingly distribute malicious content, eroding user trust.
• Regulatory consequences: Unauthorized data access or exposure may result in compliance violations, particularly under frameworks like GDPR or CCPA.

Recommendations

Security teams are advised to take the following steps to mitigate risks:

1. Apply patches immediately: Update NGINX and associated components to the latest versions to close the CVE-2025-55182 vulnerability.
2. Audit server configurations: Review NGINX and Baota (BT) panel configurations for unauthorized changes, particularly in traffic routing rules.
3. Monitor for suspicious activity: Deploy network monitoring tools to detect unusual traffic patterns or unauthorized access attempts.
4. Isolate compromised systems: If exploitation is detected, isolate affected servers to prevent lateral movement within the network.
5. Educate stakeholders: Ensure IT and security teams are aware of the threat and prepared to respond to potential incidents.

Datadog Security Labs continues to track this campaign and will provide updates as new details emerge. Organizations are urged to prioritize remediation efforts to safeguard their infrastructure from this critical threat.