Proactive threat hunting sees suspicious network activities that others might miss
PHOENIX, Dec. 12, 2025 /PRNewswire/ — As organizations struggle to understand the impact of the React2Shell vulnerability, PacketWatch threat hunters have published a blog article, “Responding to React2Shell,” detailing their experience with React2Shell (CVE-2025-55182) in the wild, including the attack flow, proof-of-concept, IOCs, and observed behaviors.
React2Shell Incident Response
With threats like React2Shell, deploying endpoint detection and response (EDR), web application firewalls (WAF), and application patches can protect your devices, but these updates won’t alert you if the vulnerability has already been exploited. For that, it takes a unique set of tools and proven cyber incident response expertise.
“Network traffic originating from external sources is often not seen by, or effectively parsed by, conventional security tools,” says John Bornt, chief security officer and vice president of cyber operations and incident response at PacketWatch. “This lack of visibility allows threat actors using exploits like React2Shell to successfully compromise an organization’s Internet-facing resources without immediately triggering alerts for the security operations team to triage.”
The React2Shell vulnerability enables remote code execution on systems using React or Next.js. This allows threat actors worldwide to exploit this “open door” to deliver various malicious payloads. Due to the widespread adoption of these platforms, React2Shell poses a greater threat to corporate networks than other known vulnerabilities.
Organizations monitoring their network should ensure that their purview is not one-dimensional. Looking solely at HTTP headers, firewall logs, Zeek signatures, or NetFlow data is not enough. Full Packet Capture provides a complete recording (PCAP) of network activity, much like a DVR does for television. This allows network threat hunters to investigate and “rewind” the activity to find subtle suspicious patterns.
Some of the suspicious activities that PacketWatch analysts observed in the wild with React2Share-exploited environments included:
- Suspicious processes spawning from Node.js
- Suspicious network traffic to malicious external IPs (C2)
- Suspicious network connections from the React server to other internal assets
- Scanning from the React server
- Malware installations and malicious code running on the React server
“We can see things that others can’t,” said Andrew Oesterheld, senior cybersecurity analyst at PacketWatch. “With full packet capture, we’re able to use raw network data to quickly reverse-engineer exploits and build detections to protect our clients. Within hours of a new exploit being released, we can protect all our managed clients, even before traditional alerts are triggered. That’s the power of proactive threat hunting.”
For organizations that can’t see suspicious network patterns, PacketWatch provides 24/7 Incident Response Services, Enterprise Security Assessments, Rapid Response Assurance, and Managed Threat Hunting services. They also publish free, bi-weekly Cyber Threat Intelligence reports on their website to help organizations better understand the threats PacketWatch analysts are seeing in the wild.
For more information, visit www.packetwatch.com or call 1-800-864-4667.
About PacketWatch
The PacketWatch network threat hunting platform combines full packet capture, AI/ML tools, and threat intelligence to help incident responders find hidden cyber threats and capture forensic evidence. As a managed service, the combination of packet-level network analysis and proactive human-based threat hunting finds and contains risks and malicious activities that conventional cybersecurity tools may miss. Integration with CrowdStrike Falcon offers real-time host telemetry to identify and contain persistent threats before they trigger alerts on endpoints. Learn more about the software, professional services, and managed services at www.packetwatch.com.
Contact:
Sean McGovern
Vice President of Sales
PacketWatch
[email protected]
480.444.7064
SOURCE PacketWatch
