A newly disclosed software flaw known as React2Shell (CVE-2025-55182) is being widely used in active cyberattacks against connected home devices, according to new data from Bitdefender. The company is blocking more than 150,000 attack attempts per day, showing how quickly criminal groups move once a vulnerability becomes public.
Although the issue originates in certain Node.js-based web applications and not in smart home products themselves, the fallout affects the broader connected-device landscape. Once attackers find any system they can break into, they often use it to scan for and compromise additional devices, many of which are commonly installed in today’s smart homes.
The vulnerability is notable due to the speed with which cybercriminals are exploiting it. The bug was first disclosed on Dec. 3, and Bitdefender is already blocking 150,000 exploits per day, the firm said Tuesday.
Which Devices Are Vulnerable under React2Shell?
Bitdefender observed attacks aimed at a wide range of connected devices, including:
-
Smart plugs and simple IoT appliances
-
Smartphones
-
NAS and home storage devices
-
Surveillance cameras and systems
-
Home routers
-
Smart TVs and entertainment devices
Many attempts also hit devices that could not be identified by type, which indicates attackers are simply scanning the internet for anything that responds, not targeting specific brands.
This pattern is typical of botnet activity: attack whatever is online and vulnerable, then use it to grow the network even further.
Bitdefender reports that attackers began using React2Shell almost as soon as the details became public. Most of the activity involves automated tools trying to break into systems and install malware.
With more than 150,000 attempts every day, this campaign is already operating at a global scale.
Where the Attacks Are Coming From
The largest share of activity appears to originate from a datacenter in Poland, but additional probing has come from the U.S., Europe, and Asia. This wide distribution suggests broad adoption by existing botnet operators rather than a single targeted effort.
In addition to React2Shell attempts, researchers also saw the same sources trying to exploit older camera and router vulnerabilities—another sign that attackers are running large, all-purpose scanning tools.
What the Attackers Are Trying to Install
Bitdefender observed two main types of malicious software being delivered:
-
Botnet tools, similar to the well-known Mirai family, which take over devices so they can be used in large-scale internet attacks
-
Cryptomining tools, which quietly use a device’s computing power to generate cryptocurrency for the attacker
These are common tactics because they are simple, profitable, and require little maintenance.
Why the React2Shell Situation Matters for the Custom Integration Channel
React2Shell’s rapid adoption reinforces what integrators have been seeing for years: the biggest cybersecurity risks come from the broader internet, not only from the products inside a home. As the number of connected devices grows, so does the likelihood that attackers will find an entry point somewhere in the network.
For integrators, this means secure network design, sensible default settings, and regular maintenance are increasingly central to delivering long-term value to clients.
Integrators are urged to follow best cybersecurity practices:
-
Keep IoT and AV devices separated from the main home network
-
Turn off remote access features clients don’t actively use
-
Keep firmware and software up to date
-
Review any custom dashboards, interfaces, or local services for unnecessary exposure
CE Pro will continue monitoring this issue and will report back as Bitdefender identifies new patterns or emerging threats.
