New: Black Kite Global Adaptive AI Assessment Framework (BK-GA³™), a truly global framework for assessing AI riskGet It Now
blog

Focus Friday: TPRM Insights Into React2Shell and Mixpanel Data Exposure Risks

Published

Dec 4, 2025

Updated

Dec 5, 2025

Authors

Ferdi Gül & Yavuz Han

In this article

In this article

See Black Kite in action

BOOK A DEMO

Contributors: Ekrem Selcuk Celik, Hakan Karabacak, Nida Dundar

INTRODUCTION

Welcome to this week’s edition of Focus Friday, where we examine the latest high-profile incidents through the lens of Third-Party Risk Management (TPRM). This week brings two very different but equally significant risks for organizations: a critical remote code execution flaw affecting React Server Components (RSC) — now widely referred to in the security community as React2Shell — and a third-party data exposure event involving Mixpanel’s analytics platform. Although one is a technical vulnerability and the other stems from compromised employee accounts, both incidents share an important theme: vendors’ internal security practices can directly influence the risk posture of every organization that depends on them.

In this edition, we break down how these issues affect your vendor ecosystem, what questions TPRM teams should be asking, and how Black Kite’s FocusTags™ help you immediately identify which vendors require urgent attention.

React2Shell [Suspected]

Filtered view of companies with React2Shell FocusTag™ on the Black Kite platform

CVE-2025-55182 (React2Shell)

Critical RCE in React Server Components (RSC) — Now Actively Exploited by China-Nexus Threat Groups

What is the React2Shell vulnerability?

CVE-2025-55182—now widely known across the security community as React2Shell—is a critical, unauthenticated remote code execution flaw in the React Server Components (RSC) protocol. It affects React 19 installations that enable RSC through react-server-dom-webpackreact-server-dom-parcel, or react-server-dom-turbopack packages in versions 19.019.1.019.1.1, and 19.2.0.

The vulnerability arises from unsafe deserialization of attacker-controlled RSC payloads, enabling malicious requests to be translated into unintended server-side function calls. This results in arbitrary code execution without authentication.

The issue was privately reported on November 29, 2025, publicly disclosed on December 3, 2025, and patched through React versions 19.0.119.1.2, and 19.2.1.

Because many frameworks embed RSC internally, the impact extends far beyond React itself:

Next.js App Router applications using RSC in 15.x16.x, and certain canary builds are affected.

Stable Next.js 13.x and 14.x, the Pages Router, and the Edge Runtime are not affected.

Additional ecosystems with RSC integration—including React Router RSCWakuRedwood SDKParcel RSC, and Vite’s RSC plugin—may also be exposed when using vulnerable packages.

Although CISA has not included CVE-2025-55182 in the KEV catalog and has not issued an advisory, the vulnerability is considered maximum severity, with publicly available proof-of-concept exploits.

Active Exploitation Campaigns — React2Shell Weaponized Within Hours

Only hours after public disclosure, multiple China-nexus state-sponsored threat groups began exploiting React2Shell in the wild.

According to threat intelligence teams monitoring cloud-scale honeypot systems:

Actively exploiting threat actors

Earth Lamia — Targeting logistics, finance, IT, and geopolitical sectors across Latin America, the Middle East, and Southeast Asia

Jackpot Panda — Focusing primarily on East and Southeast Asia

Unattributed cluster — Using overlapping infrastructure commonly seen in China-nexus operations

These actors began operationalizing the exploit starting December 3, 2025, demonstrating extremely rapid adoption.

Exploitation characteristics

Although many public PoCs are flawed, threat groups employ a “volume-based exploitation strategy”—flooding targets with malformed or semi-functional exploit attempts to guarantee success if a vulnerable system exists.

Notably, the AWS MadPot infrastructure observed:

  • Persistent scanning campaigns
  • Attempts to execute Linux commands such as whoami and id
  • File-write attempts to /tmp/pwned.txt
  • Attempts to read /etc/passwd
  • Manual debugging sessions lasting nearly an hour, confirming hands-on-keyboard activity

Known attacker IPs

  • 206.237.3.150 — Earth Lamia
  • 45.77.33.136 — Jackpot Panda
  • 183.6.80.214 — Unattributed cluster

Indicators defenders should look for

HTTP headers:

  • next-action
  • rsc-action-id

Payload patterns:

  • $@
  • "status":"resolved_model"

Suspicious behavior:

  • Reading /etc/passwd
  • Writing unexpected files to /tmp/

These observations confirm widespread, rapid adoption of React2Shell across sophisticated threat groups.

CVE status and FocusTag approach

CVE-2025-55182 (React): Primary CVE in this FocusTag.

CVE-2025-66478 (Next.js): Rejected. Cannot be referenced in a FocusTag, but Next.js remains in scope due to dependency on vulnerable upstream RSC packages.

Black Kite detects RSC usage in real-world deployments, enabling accurate identification of vendors likely impacted by React2Shell.

Why TPRM professionals should care about React2Shell

React2Shell represents a critical supply-chain risk across the modern web ecosystem.

If a vendor is vulnerable, attackers may:

  • Compromise customer portals and dashboards
  • Execute actions as privileged users
  • Manipulate sensitive business workflows
  • Gain footholds into cloud environments where autoscaling and serverless functions expand the blast radius
  • Impact multiple branded services if the same stack is redeployed across environments

The vulnerability is unauthenticated, remote, actively exploited, and trivial to weaponize—a combination that places it among the most significant web platform risks in recent years.

Vendor questions for TPRM teams

When assessing exposure, ask vendors:

  1. Have you upgraded all React Server Components to 19.0.119.1.2, or 19.2.1 to address CVE-2025-55182 (React2Shell)?
  2. Have you patched all Next.js App Router deployments to 15.0.515.1.915.2.615.3.615.4.815.5.7, and 16.0.7?
  3. Have you updated other RSC-enabled frameworks (React Router RSC, Waku, Redwood SDK, Parcel RSC, Vite RSC) to versions incorporating the patched RSC packages?
  4. Have you deployed monitoring controls to detect anomalous RSC payloads or unsafe deserialization attempts?
  5. Have you reviewed logs dating back to November 29, 2025, for React2Shell indicators and attacker IPs?

Remediation recommendations for vendors

1. Upgrade React packages immediately

Update all RSC adapter packages and associated modules to patched versions.

2. Apply Next.js patches or downgrade unstable builds

Use only the officially patched releases; downgrade canary builds until stable patches arrive.

3. Update all RSC-based frameworks

Any ecosystem using RSC must be upgraded to versions containing the fixed React packages.

4. Do not rely solely on WAF or hosting provider hotfixes

True remediation requires code updates.

5. Enhance monitoring and log review

Look for:

  • next-action / rsc-action-id headers
  • $@ or "status":"resolved_model" patterns
  • Attempts to read /etc/passwd
  • Writes to /tmp/
  • Requests from Earth Lamia / Jackpot Panda IPs

How TPRM professionals can leverage Black Kite for React2Shell

Black Kite’s React2Shell FocusTag empowers TPRM teams to:

  • Identify vendors running RSC-enabled React or Next.js services
  • Detect exposed assets (IP addresses, subdomains) linked to RSC-based deployments
  • Understand ecosystem-level exposure—including frameworks like Waku, Redwood SDK, Vite RSC, and Parcel RSC
  • Prioritize outreach to vendors with verified production exposure
  • Track vendor patching over time as exploitation continues to evolve
  • Reduce noise by focusing only on vendors where RSC is enabled and exploitable

For customers, this transforms one of the year’s most severe supply-chain vulnerabilities into a structured, manageable TPRM workflow.

React2Shell [Suspected]

Black Kite’s React2Shell FocusTag™ details critical insights on the event for TPRM professionals.

Mixpanel Clients (Potential impact due to Mixpanel data exposure)

What happened in the Mixpanel incident?

The campaign, detected by Mixpanel on November 8, 2025, highlights the critical risk of supply-chain vulnerabilities where a vendor's internal breach directly exposes its customers' user data.

Threat actors gained unauthorized access to Mixpanel's internal environment via compromised employee accounts. While Mixpanel has since secured the affected accounts and blocked malicious IPs, the attackers successfully exported specific datasets belonging to a limited number of customers before the containment. 

The exposed data includes user profile information commonly tracked in analytics projects, such as names, email addresses, approximate locations (based on IP), device/browser telemetry, and referring URLs. Critically, this breach typically does not involve passwords or payment information, but rather the metadata and contact details of the end-users.

This is a third-party data breach resulting from social engineering. The attackers did not exploit a vulnerability in the customers' systems but rather abused their legitimate access to the vendor's infrastructure to scrape data. Example Corp should be aware that if they use Mixpanel, their user analytics data or internal employee data (if tracked) may have been part of the exposed datasets.

Why Should TPRM Professionals Care About This Incident?

This incident is critical because it exemplifies how a vendor’s internal security failure (compromised employee accounts) can lead to a third-party supply-chain breach, directly impacting customer data. 

Since the exposed data included user metadata and contact details, downstream organizations using Mixpanel face an increased risk of targeted spear-phishing and social engineering attacks against their employees and end-users. 

The incident underscores that TPRM assessments must prioritize not just technical vulnerabilities (like CVEs), but also the vendor's internal security hygiene and data minimization practices.

What Questions Should TPRM Professionals Ask Vendors About The Incident?

Vendors using Mixpanel should be asked:

  • Did you have an active Mixpanel "Project" or organization whose data was confirmed by Mixpanel to be part of the exfiltrated datasets?
  • Have you instructed your teams and end-users to be hyper-vigilant against emails referencing "support" or "account updates" following the breach?
  • Have you reviewed the data being sent to Mixpanel to ensure that PII sharing is strictly minimized to what is necessary for analytics?
  • Is Multi-Factor Authentication (MFA) strictly enforced for all administrative accounts accessing the Mixpanel dashboard?
  • Have you reviewed Mixpanel's "Project Settings" and "Access Logs" for any unusual export activities or new API credentials generated around early November 2025?

Remediation recommendations for vendors subject to this risk 

Vendors that may have been exposed should:

  • Reach out to your Mixpanel account representative immediately to confirm if your specific "Project" or organization's data was included in the exfiltrated datasets.
  • Inform your internal teams and end-users (if their data was stored in Mixpanel) to be hyper-vigilant against emails appearing to come from your organization or Mixpanel, especially those referencing "support" or "account updates."
  • Review the data currently being sent to Mixpanel. Ensure you are minimizing the sharing of PII (Personally Identifiable Information) solely to what is strictly necessary for analytics.
  • Ensure Multi-Factor Authentication (MFA) is strictly enforced for all administrative accounts accessing the Mixpanel dashboard to prevent any potential lateral movement.
  • Check Mixpanel's "Project Settings" and "Access Logs" (if available on your plan) for any unusual export activities or new API credentials generated around early November 2025.

How TPRM professionals can leverage Black Kite for this incident

Black Kite’s "Mixpanel Client" FocusTag enables TPRM teams to quickly identify which vendors in their ecosystem are likely to have active or historical Mixpanel. 

The tag combines multiple intelligence sources — such as Mixpanel’s public customer references, Black Kite’s big-data analytics, external records, and subdomain-level indicators — to flag organizations associated with Mixpanel.

Through this FocusTag, TPRM teams can:

  • Quickly identify affected vendors and immediately confirm if their data was compromised by reaching out to Mixpanel representatives.
  • Verify that vendors enforce Multi-Factor Authentication (MFA) on all administrative accounts accessing the Mixpanel dashboard.
  • Review and confirm that vendors are minimizing the PII shared with Mixpanel to only what is strictly necessary for analytics.
  • Instruct vendors to review Mixpanel Access Logs and project settings for any unauthorized export activities or credential changes around early November 2025.
  • Ensure vendors are prepared to inform users and employees, advising vigilance against phishing attempts using the exposed metadata.

Enhancing TPRM Programs With Black Kite's FOCUSTAGS™

Managing third-party cyber risk becomes increasingly complex when incidents range from critical RCE vulnerabilities in widely deployed frameworks to supply-chain breaches inside analytics platforms. This week’s focus on React2Shell and Mixpanel highlights how different threat vectors can converge on the same outcome: increased exposure across your vendor landscape.

Black Kite’s FocusTags™ simplify this complexity by transforming scattered incident data into structured, actionable intelligence. With these tags, TPRM teams can:

Identify Exposure with Precision

FocusTags pinpoint exactly which vendors in your ecosystem are connected to affected technologies — whether it’s an RSC-enabled web platform or a vendor integrating Mixpanel into their products. This allows teams to focus effort where it is genuinely needed, rather than contacting every vendor in the portfolio.

Accelerate Risk-Based Prioritization

By correlating vendor criticality, technology usage, and incident severity, FocusTags help you prioritize which vendor relationships require immediate follow-up, which can be monitored, and where deeper assessments may be warranted.

Strengthen Vendor Engagement with Targeted Questions

FocusTags provide context-aware intelligence, enabling TPRM professionals to ask relevant, specific questions about patch status, dependency usage, access logs, or data handling practices — rather than sending broad questionnaires that burden vendors and slow down response cycles.

Gain Asset-Level Visibility for Real Decision-Making

A major differentiator of Black Kite’s FocusTags is the inclusion of asset-level intelligence, such as IP addresses and subdomains associated with at-risk components or services. This helps teams distinguish between theoretical exposure and confirmed real-world risk.

Support Continuous Monitoring as Threats Evolve

Whether new patches emerge for the RSC vulnerability or Mixpanel provides updated breach notifications, FocusTags evolve alongside the incident. This ensures your TPRM program stays aligned with the latest intelligence without restarting the evaluation process from scratch.

Black Kite’s FocusTags™ empower organizations to transform complex incidents — such as this week’s RSC remote code execution flaw and the Mixpanel data exposure event — into clear, actionable steps for vendor oversight. By combining technological insight with TPRM-specific intelligence, FocusTags strengthen your ability to manage third-party cyber risk efficiently, proactively, and with confidence.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • React2Shell : CVE-2025-55182, Remote Code Execution Vulnerability in React Server Components.
  • Mixpanel Clients : Assessing the Potential Impact of Client Data Exposure in Mixpanel.
  • SonicWall SSL VPN – Nov2025 : CVE-2025-40601, Pre-Authentication Stack-Based Buffer Overflow Vulnerability in SonicWall SonicOS SSLVPN Service Leading to Denial of Service.
  • Grafana Enterprise – Nov2025 : CVE-2025-41115, Incorrect Privilege Assignment Vulnerability Allowing Privilege Escalation and User Impersonation via SCIM Provisioning in Grafana Enterprise.
  • Apache SkyWalking : CVE-2025-54057, Stored Cross-Site Scripting (XSS) Vulnerability Allowing Persistent Script Injection in Apache SkyWalking Monitoring Dashboards.
  • Gainsight Client – Nov2025 : Integration-Token Abuse Incident, Unauthorized Access and Potential Data Exfiltration Through Compromised OAuth Tokens in Gainsight–Salesforce Connected Applications.
  • FortiWeb [Suspected] : CVE-2025-64446, CVE-2025-58034, Authentication Bypass Vulnerability, Path Traversal Vulnerability, OS Command Injection Vulnerability in Fortinet FortiWeb Web Application Firewall.
  • SolarWinds Serv-U - Nov2025 : CVE-2025-40547, CVE-2025-40548, CVE-2025-40549, Logic Error Vulnerability, Improper Authorization Vulnerability, Path Traversal Vulnerability, Remote Code Execution Vulnerabilities in SolarWinds Serv-U.
  • OAuth2 Proxy : CVE-2025-64484, Improper Neutralization Of HTTP Headers For Scripting Syntax Vulnerability, Header Smuggling Vulnerability, Potential Privilege Escalation Vulnerability in OAuth2 Proxy.
  • pgAdmin - Nov2025 : CVE-2025-12762, CVE-2025-12763, CVE-2025-12764, CVE-2025-12765, Remote Code Execution Vulnerability, Command Injection Vulnerability, LDAP Injection Vulnerability, TLS Certificate Verification Bypass Vulnerability in pgAdmin.
  • W3 Total Cache - Nov2025 : CVE-2025-9501, Command Injection Vulnerability, Remote Code Execution Vulnerability in W3 Total Cache WordPress Plugin.
  • Microsoft SharePoint - Nov2025 : CVE-2025-62204, Deserialization of Untrusted Data Vulnerability, Remote Code Execution Vulnerability in Microsoft Office SharePoint.
  • MSSQL - Nov2025 : CVE-2025-59499, Improper Neutralization of Special Elements in SQL Commands, SQL Injection Vulnerability, Privilege Escalation Vulnerability in Microsoft SQL Server.
  • Elastic Kibana - Nov2025 : CVE-2025-37734, CVE-2025-59840, Server-Side Request Forgery (SSRF) Vulnerability, DOM-based Cross-site Scripting (XSS) Vulnerability, Improper Input Validation Vulnerability in Elastic Kibana.
  • Django - Nov2025 : CVE-2025-59681, CVE-2025-59682, SQL Injection Vulnerability, Directory Traversal Vulnerability, Improper Input Sanitization Vulnerability in Django Web Framework.
  • Open WebUI - Nov2025 : CVE-2025-64495, Stored DOM XSS Vulnerability, Account Takeover Vulnerability, Remote Code Execution Vulnerability in Open WebUI.
  • MOVEit - Oct2025 : CVE-2025-10932, Uncontrolled Resource Consumption Vulnerability, Denial of Service Vulnerability in Progress MOVEit Transfer.
  • Redis - Nov2025 : CVE-2025-62507, Improper Input Validation Vulnerability, Stack-based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability in Redis.
  • Control Web Panel (CWP) : CVE-2025-48703, Remote Code Execution Vulnerability, OS Command Injection Vulnerability in CentOS Control Web Panel.
  • DNN Software - Oct2025 : CVE-2025-64095, Improper Access Control Vulnerability, Unrestricted Upload of File Vulnerability, Arbitrary File Write Vulnerability, Remote Code Execution Vulnerability, Cross-site Scripting Vulnerability in DNN Software.
  • XWiki Platform : CVE-2025-24893, Remote Code Execution Vulnerability in XWiki Platform.
  • MikroTik RouterOS & SwOS : CVE-2025-61481, Arbitrary Code Execution Vulnerability, Man-in-the-Middle (MITM) Attack Vulnerability in MikroTik RouterOS & SwOS.
  • Apache Tomcat - Oct2025 : CVE-2025-55752, CVE-2025-55754, CVE-2025-61795, Remote Code Execution, Authorization Bypass, Path Traversal, File Upload, Improper Neutralization of Escape, Meta, or Control Sequences, Improper Resource Shutdown or Release, Improper Input Validation, Authentication Bypass, Denial of Service Vulnerabilities in Apache Tomcat.

See Black Kite’s full CVE Database and the critical TPRM vulnerabilities that have an applied  FocusTagTM at https://blackkite.com/cve-database/.

References

https://securityonline.info/react2shell-storm-china-nexus-groups-weaponize-critical-react-flaw-hours-after-disclosure

https://react2shell.com

https://nextjs.org/blog/CVE-2025-66478

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://securityonline.info/catastrophic-react-flaw-cve-2025-55182-cvss-10-0-allows-unauthenticated-rce-on-next-js-and-server-components/

https://securityonline.info/maximum-severity-alert-critical-rce-flaw-hits-next-js-cve-2025-66478-cvss-10-0/

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

https://mixpanel.com/blog/sms-security-incident/

https://www.securityweek.com/mixpanel-hack-exposes-customer-data/

https://techcrunch.com/2025/12/02/a-data-breach-at-analytics-giant-mixpanel-leaves-a-lot-of-open-questions/