On December 3, 2025, the React2Shell vulnerability (CVE-2025-55182) was publicly disclosed, prompting immediate monitoring by Cloudflare's Threat Intelligence team. Within hours, they detected active exploitation attempts linked to Asian-based threat groups. These actors quickly adapted their tools to exploit this high-severity Remote Code Execution (RCE) vulnerability, which arises from an unsafe deserialization flaw in React Server Components (RSC). A single crafted HTTP request can allow an attacker to execute arbitrary JavaScript on vulnerable servers without requiring authentication or user interaction. The exploitation tactics included using commercial and open-source tools for vulnerability scanning and reconnaissance. Threat actors relied on vulnerability intelligence databases to prioritize targets. They employed platforms like Nuclei for rapid scanning and Burp Suite for exploiting vulnerabilities in HTTP/S traffic. Their reconnaissance efforts were sophisticated, using Internet-wide scanning to identify React and Next.js applications. They specifically filtered targets by geographic region and SSL certificate attributes to focus on high-value entities, such as government systems. In addition to React2Shell, two other vulnerabilities (CVE-2025-55183 and CVE-2025-55184) were disclosed, relating to RSC payload handling. Both vulnerabilities have been integrated into Cloudflare's defenses. The company has implemented new WAF rules aimed at blocking these threats, available to both free and paid customers. The rapid increase in scanning and exploitation activity following the vulnerability's announcement emphasizes the urgent need for organizations using affected versions of RSC to strengthen their security measures.