"are first performing basic exploit proof - of - execution ( poe ) validation using " cheap math " powershell commands : powershell - c " 40138 * 41979 " powershell - c " 40320 * 43488 " this is a common exploitation workflow since deterministic output confirms command execution a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
98%
"cve - 2025 - 55182 rce attempt customers can also modify the template to specify source country, other ip classifications, etc. new users can get started with a 14 - day free trial. enterprise customers have targeted blocklists available in the platform ( specifying asns, ja4, de…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
91%
"- and - execute stagers ( - enc + downloadstring + iex ). then, a stage - 2 payload that uses reflection to set system. management. automation. amsiutils. amsiinitfailed = true ( standard amsi bypass ), then iex executes the next stage. react2shell quick refresher public reportin…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
87%
"importance of dynamic ip blocking the vast majority of threat actor ips allocated to exploiting this vulnerability were first seen by greynoise post july 2025. we encourage defenders to leverage greynoise block to instantly neutralize threat actor ips attempting to exploit react2…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
84%
"historically, this is when defenders can still win by ensuring patches are in place, putting high - quality endpoint detection in place, and using the provided network fingerprints to isolate potentially malicious inbound traffic requests. — — — top - level indicators candidate e…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
75%
"- 1 - 3 _ 1460 _ 10 + po11nn090000 _ 3343762cd6d7 _... source ip first / last - seen analysis shows a meaningful share of the observed exploitation ips are newly observed in the recent window ( nearly 50 % being first seen in december 2025 ). this has become typical for modern op…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
73%
"historically, this is when defenders can still win by ensuring patches are in place, putting high - quality endpoint detection in place, and using the provided network fingerprints to isolate potentially malicious inbound traffic requests. — — — top - level indicators candidate e…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
71%
"( ≈ 42 % ) contained active payload data that could be analyzed. the remaining 210 ips either : - connected but sent no payload data - sent malformed or empty payloads - had payload files that were empty the attacks originated from a diverse set of geographic locations, spanning …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
69%
". com / greynoise - intelligence / gn - research - supplemental - data / tree / main / 2026 - 01 - 06 - react2shell update : 9 december 2025 due to the escalating situation, greynoise is sharing its weekly at the edge intelligence brief — typically reserved for greynoise customer…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
49%
"( ≈ 42 % ) contained active payload data that could be analyzed. the remaining 210 ips either : - connected but sent no payload data - sent malformed or empty payloads - had payload files that were empty the attacks originated from a diverse set of geographic locations, spanning …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
39%
"). setvalue ( $ null, $ true ) exploit validation / “ proof of execution ” probes : powershell - c " < 5 - digit > * < 5 - digit > " ( many unique pairs ; deterministic output ) unique payloads [ { " then " : " $ 1 : _ _ proto _ _ : then ", " status " : " resolved _ model ", " re…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.