Threat actors exploiting the React2Shell vulnerability in components of React servers are using their access to compromise web domains and divert web traffic for malicious purposes.
That’s the conclusion of researchers at Datadog Security Labs, who said in a blog Wednesday that the primary targets are sites running the NGINX open-source web server managed with Boato Panel. These include Asian organizations with top level domains ending in .in, .id, .pe, .bd, .edu, .gov, and .th, as well as Chinese hosting infrastructure.
The danger, said blog author Ryan Simon, a senior security researcher at Datadog Security Labs, is that a hacker can use a compromised site to do a number of nasty things such as fingerprint an organization’s web traffic, insert malware onto users’ computers, or divert traffic to a threat actor-controlled landing page that tries to trick users into giving up login credentials.
These last two tactics also end up damaging a website’s reputation, Simon added, if the word gets around that the site hosts malware.
NGINX is a “foundational element of contemporary web infrastructure,” the Datadog blog notes. The routing and processing of traffic by NGINX is governed by its configuration files. Poor configuration or a successful breach allow it to be used for web traffic hijacking.
For CSOs, the defense against these attacks is to lock down those configuration files to resist their being tampered with.
React2Shell is the exploitation of a vulnerability (CVE-2025-55182) in the React 19 library for building application interfaces that was discovered late last year. The hole allows attackers to execute arbitrary code on affected servers.
Related content: Anatomy of React2Shell
Researchers at Greynoise said this week that exploitation activity targeting React Server Components has consolidated significantly. Two IP addresses now account for 56% of all observed exploitation attempts, down from 1,083 unique sources earlier.
Unpatched versions of React are at risk of compromise.
Initial abuse
“What we saw in a lot of our honeypots and threat intelligence early on with React2Shell is attackers were using it for cryptomining,” said Simon. Others have seen exploitation used to deploy reverse shells. But more recently, Simon said, Datadog Security is seeing threat actors, once in an IT network, going after web servers to highjack their traffic.
An analysis of the scripts used by threat actors on compromised NGINX web servers shows they use a multi-stage and automated approach to attacking the environments. The toolkits contain target discovery plus several scripts designed to establish persistence and for the creation of malicious configuration files containing instructions intended to redirect web traffic, says the Datadog blog.
There is no commonality among the targeted organizations, Simon noted.
Hijacking web traffic is an old tactic for threat actors. In fact David Shipley, head of Canadian security awareness training provider Beauceron Security, called these attacks on NGINX servers “a return to old-school hacking in the era of stronger identity controls like password managers, MFA and passkeys.”
“If you’re up against a more robustly defended user, you go back to attacking the infrastructure so you can go back into attacker-in-the-middle mode for some good old session cookie capture and other hijinks on the NGINX,” he said.
Finding and exploiting server side vulnerabilities or network security vulnerabilities is fast, cheap, and easy with AI, he added.
Simon said CSOs can help protect NGINX servers from being exploited by monitoring configuration file integrity, including keeping records of their server configurations so any changes can be spotted.
It’s vital that web servers have the latest security patches, he added. And admins should also monitor the NGINX security advisory website.