The “Play” ransomware group has integrated the critical “React2Shell” vulnerability (CVE-2025-55182) into its automated attack toolkit. Security firms report a spike in Play ransomware infections targeting organizations running unpatched Next.js and React applications, moving from initial access to full encryption in under 4 hours.
Business Impact
This marks the shift of React2Shell from a targeted espionage tool to a mass-crime weapon. Organizations that delayed patching their web frontends are now facing immediate operational shutdown and extortion demands. The speed of the attack leaves little time for manual intervention.
Why It Happened
Criminal groups adopt effective exploits rapidly. The public availability of Proof-of-Concept (PoC) code for React2Shell allowed Play’s developers to weaponize it quickly, targeting the widespread attack surface of modern web apps.
Recommended Executive Action
If you haven’t patched React/Next.js yet, assume your web servers are compromised. Isolate them from the core network immediately and initiate incident response procedures to check for web shells or lateral movement.
Hashtags: #Ransomware #PlayRansomware #React2Shell #WebSecurity #CyberAttack #AppSec #InfoSec