Happy Friday! React2Shell exploitation is ongoing, and our team has released a slew of different insights and artifacts for customers. Below are the Initial Access Intelligence team's deliverables for this past week.
Throughout the past week and a half, the VulnCheck research team has been analyzing and adding support for testing and detecting various React2Shell exploit variants. As of December 12, Initial Access Intelligence customers have access to artifacts spanning seven different exploit variants, along with five different vulnerable Docker containers for testing (Next.js, React RSC, Expo, React Router, Waku).
New exploit variants added this week, all of which include accompanying signatures and PCAPs:
require() function while using a randomly generated endpoint, which is necessary for exploitation (shipped Dec. 11)These join our previously delivered exploits (Next.js reverse shell, Next.js in-memory, Next.js in-memory webshell), network scanner, signatures, PCAPs, Docker container, and ASM queries. Notably, the team has also continually improved our network rules for React2Shell, making them more difficult to bypass as a result of updated pattern matching and minimization. For additional React2Shell resources, see our original emerging threat blog, our analysis of the PoC and variant ecosystem, detection observations from VulnCheck canaries, and the team's analysis of hundreds of public exploits.
The team added coverage for an authenticated command injection vulnerability in FreePBX's installed-by-default Filestore module. No exploitation attempts have been observed as of yet, but attackers have previously demonstrated interest in FreePBX with exploitation of CVE-2025-57819, which has also been detected by VulnCheck canaries. FOFA reports just over 40K publicly available instances of FreePBX currently. Coverage includes an exploit, PCAPs, network signatures, ASM queries, and a YARA rule.
The team also added coverage for an authentication bypass vulnerability found in multiple Netgear router models. Back in October, the team added coverage for CVE-2020-27867, which can be paired with CVE-2020-27866 to achieve unauthenticated RCE and has since been detected by VulnCheck canaries. F5 Labs has also recently reported on RondoDox-driven exploitation attempts of these vulnerabilities across October and November of this year. Included with the exploit are network signatures, ASM queries, and PCAPs.
Finally, the team added an exploit for a command injection vulnerability in D-Link DNS-320 devices that's been exploited in the wild since 2021, with threat activity attributed to seven different botnets. FOFA sees just under 25,000 of these devices on the internet, though other ASM engines spot significantly fewer. Our exploit comes with a version scanner, a target Docker container, network rules, and PCAPs.