Critical Flaws Under Fire: 'React2Shell' (CVSS 10.0) and Windows Zero-Day Actively Exploited

Security Alert: 'React2Shell' (CVE-2025-55182), Windows Zero-Day (CVE-2025-62221), and FortiGate Flaws Under Active Attack

CRITICAL
December 26, 2025
4m read
VulnerabilityCyberattackPatch Management

Related Entities

Organizations

Microsoft

Products & Tech

ReactFortiGate

Other

MINOCATHISONICXMRig

CVE Identifiers

CVE-2025-55182
CRITICAL
CVSS:10
CVEDetails.com CVE.org
CVE-2025-62221
HIGH
CVSS:7.8
CVEDetails.com CVE.org
CVE-2025-59718
HIGH
CVEDetails.com CVE.org
CVE-2025-59719
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1133Initial Access

External-Facing Remote Services

T1496Impact

Resource Hijacking

Full Report

Executive Summary

A security analysis published on December 26, 2025, has raised alarms about the active exploitation of several distinct, high-impact vulnerabilities. The most severe is CVE-2025-55182, a critical remote code execution (RCE) flaw in React Server Components dubbed 'React2Shell', which has a perfect CVSS score of 10.0. Threat actors are already weaponizing it to deploy malware such as MINOCAT, HISONIC, and XMRig. Concurrently, Microsoft has confirmed active exploitation of CVE-2025-62221, a zero-day privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver. To complete the trifecta of risk, two authentication bypass vulnerabilities in FortiGate firewalls (CVE-2025-59718 and CVE-2025-59719) are also being exploited, threatening network perimeter security. This confluence of threats requires immediate attention and patching.

Vulnerability Details

CVE-2025-55182 ('React2Shell')

  • Description: A remote code execution (RCE) vulnerability in React Server Components.
  • CVSS Score: 10.0 (Critical)
  • Impact: Allows an unauthenticated, remote attacker to execute arbitrary code on the server. Its widespread use in modern web applications makes the attack surface vast.
  • Exploitation: Actively exploited to deploy malware, including the MINOCAT backdoor, HISONIC infostealer, and the XMRig cryptominer.

CVE-2025-62221 (Windows Zero-Day)

  • Description: A use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver.
  • CVSS Score: 7.8 (High)
  • Impact: Allows a local attacker who has already gained initial access to elevate their privileges to SYSTEM, the highest level on a Windows machine. This is a powerful tool for post-compromise activities.
  • Exploitation: Confirmed by Microsoft to be actively exploited in the wild, often chained with other exploits for initial access.

CVE-2025-59718 & CVE-2025-59719 (FortiGate)

  • Description: Two high-severity authentication bypass vulnerabilities in FortiGate firewalls.
  • Impact: Allows an attacker to circumvent security controls, including Single Sign-On (SSO) workflows, on internet-facing network appliances, granting unauthorized access to protected networks.
  • Exploitation: Actively exploited.

Impact Assessment

The simultaneous exploitation of these vulnerabilities creates a complex and dangerous threat landscape. 'React2Shell' threatens any organization using modern web frameworks, opening the door for complete server takeover. The Windows zero-day provides a reliable method for attackers to escalate privileges once inside a network, allowing them to disable security software, deploy ransomware, and achieve persistence. The FortiGate flaws undermine the very perimeter that organizations rely on for defense, potentially rendering other security controls moot. Attackers can chain these vulnerabilities, for example, by using a FortiGate bypass to gain network access and then using the Windows zero-day to take over critical internal servers.

Cyber Observables for Detection

Type Value Description
process_name xmrig.exe The XMRig cryptominer is a common payload for web server exploits like React2Shell.
log_source Windows System Event Log Look for errors or crashes related to the Cloud Files Mini Filter Driver (cldflt.sys) which could indicate exploitation of CVE-2025-62221.
log_source FortiGate Firewall Logs Monitor for successful authentication events that do not have a corresponding valid SSO log entry, or other anomalies in authentication patterns.
network_traffic_pattern Outbound connections to crypto mining pools A common indicator of compromise from exploits like React2Shell.

Detection & Response

  • Web Application Firewall (WAF): Deploy and update WAF signatures to detect and block exploit attempts against 'React2Shell'. Monitor web server logs for suspicious requests targeting React Server Components.
  • Endpoint Detection and Response (EDR): EDR tools are essential for detecting the post-exploitation activity associated with CVE-2025-62221. Monitor for processes being spawned with SYSTEM privileges by unprivileged user accounts. Hunt for the presence of malware like MINOCAT, HISONIC, and XMRig.
  • Network Security Monitoring: For the FortiGate flaws, closely audit firewall authentication logs. Alert on any bypasses or unexpected successful logins, especially from external IP addresses.

Mitigation

  1. Patch Urgently: The primary mitigation for all these vulnerabilities is to apply the security updates provided by the respective vendors (React, Microsoft, Fortinet). Given the active exploitation, these should be treated as emergency patches.
  2. Principle of Least Privilege: For the Windows zero-day, ensuring that users and services run with the minimum necessary privileges can limit an attacker's ability to exploit the flaw. An attacker who compromises a non-privileged account may still be able to use CVE-2025-62221 to become SYSTEM.
  3. Harden Web Servers: Reduce the attack surface of web applications. Disable unnecessary components and ensure proper configuration to minimize the impact of flaws like 'React2Shell'.
  4. Review Firewall Rules: In addition to patching FortiGate devices, review and tighten firewall rules to restrict management access and limit the exposure of any potentially vulnerable services.

Timeline of Events

1
December 26, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The most effective mitigation is to apply the patches for all mentioned vulnerabilities from their respective vendors as a top priority.

Mapped D3FEND Techniques:

D3-SU

Exploit Protection

M1050enterprise

Employ exploit protection mechanisms like WAFs for web applications and endpoint security features that can mitigate use-after-free vulnerabilities.

Mapped D3FEND Techniques:

D3-AH

Privileged Account Management

M1026enterprise

Limit the number of privileged accounts and enforce the principle of least privilege to reduce the impact of a successful privilege escalation exploit.

Mapped D3FEND Techniques:

D3-LAM

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

Given that all three sets of vulnerabilities are under active exploitation, immediate and comprehensive patching is the paramount countermeasure. Organizations must prioritize the deployment of security updates for React Server Components, Windows operating systems (specifically for CVE-2025-62221), and FortiGate firewalls. Use vulnerability management and asset inventory systems to rapidly identify all affected assets. Due to the critical nature and active exploitation, these patches should be fast-tracked through emergency change control procedures. For React2Shell, this may involve updating application dependencies and redeploying applications. For the Windows zero-day, this requires deploying Microsoft's priority fix across all workstations and servers. For FortiGate, firmware updates must be applied to all affected firewall appliances. Failure to patch is an invitation for compromise.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1031
D3FEND

To mitigate the immediate threat from React2Shell and the FortiGate flaws while patching is underway, organizations should leverage Inbound Traffic Filtering. For React2Shell, this involves configuring a Web Application Firewall (WAF) with virtual patching rules that can identify and block the specific malicious payloads targeting React Server Components. For the FortiGate vulnerabilities, this means ensuring that management interfaces are not exposed to the internet and are only accessible from a trusted internal IP range. By filtering traffic at the network edge, organizations can block exploit attempts before they reach the vulnerable application or appliance, providing a critical layer of defense against these initial access vectors.

Sources & References

December 2025 Critical CVE Round-Up: Zero-Day Vulnerabilities, Active Exploits, and Enterprise Patching Priorities
INE (ine.com) December 26, 2025
Windows Cloud Files Mini Filter Driver 0-Day Vulnerability Exploited in the Wild
SecurityWeek (securityweek.com) December 26, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

React2ShellCVE-2025-55182CVE-2025-62221WindowsFortiGateZero-DayRCE

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next