React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
ATT&CK techniques detected
T1190Exploit Public-Facing Application
97%
"[. ] buzz - january 2022 : bt2. radiology [. ] link whois records show shared registrant information across these domains, with registration dates extending back to 2018. adjacent ip addresses in the same / 24 as the scanner ( 87. 121. 84 [. ] 25 and 87. 121. 84 [. ] 45 ) are cur…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
85%
"react server components exploitation consolidates as two ips generate majority of attack traffic for greynoise customers : a comprehensive ioc package with extended infrastructure, network fingerprints, and connected domains was sent directly to customers via email. two months af…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
63%
"its sensors are not reconnaissance scans but active exploitation attempts deploying cryptominers and reverse shells. organizations running unpatched react server components should assume they have been targeted. key findings - two ips generated 56 % of exploitation traffic over t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.