The Midnight Epiphany: How a News Notification Cracked My Stubborn Target

Santhosh Adiga U

~5 min read · December 6, 2025 (Updated: December 6, 2025) · Free: No

Chapter 1: The Brick Wall

For three days, I'd been staring at target.com like it was a vault with no key.

My Cherry Tree notes on Kali Linux told a frustrating story:


Target: target.com
Tech Stack Found:
- React.js (detected via Wappalyzer)
- Next.js framework
- Custom API endpoints
- Cloudflare protection
Vulnerabilities Tested:
✓ XSS attempts - mitigated
✓ SQLi payloads - blocked
✓ CSRF attempts - invalid
✓ IDOR hunting - no luck
× Something... anything?

Status: Hitting a wall.

Every ethical hacker knows this feeling—the target is right there, you can almost taste it, but every door is locked, every window barred. I was about to call it a night when my phone buzzed.

Chapter 2: The Blue Light Revelation

11:37 PM. The BleepingComputer notification glowed in the dark:

CRITICAL: React2Shell (CVE-2025-55182) Max-severity RCE in React/Next.js Unauthenticated exploitation Already being weaponized

My eyes widened. React. Next.js. My target was made of these.

I wasn't scrolling news—I was receiving a cheat code.

Chapter 3: The 45-Minute Miracle

11:40 PM: I abandoned my failed payloads. The old methods didn't matter anymore. This was a fresh battlefield.

11:45 PM: GitHub search → "React2Shell PoC" → Found it. Lachlan Davidson's original report. The AWS warning about Earth Lamia already exploiting it. This wasn't theoretical—it was actively burning.

11:50 PM: Local lab setup. I spun up a vulnerable Next.js instance faster than I've ever done anything. My fingers flew:


# No Shodan needed
# No mass scanning
# Just me and the target I already knew
git clone https://github.com/researcher/react2shell-poc
cd react2shell-poc

12:05 AM: The PoC worked in my lab. The elegance was terrifying: React Server Components accepting malicious serialized objects, turning server-side rendering into server-side owning.

12:10 AM: The moment of truth. I crafted my payload—not for destruction, but for proof:


// Not the actual exploit - but the concept
const maliciousFlight = {
  type: 'flight',
  // Serialized attack payload
  // In vulnerable versions: executes on server
  // In patched versions: rejected
}

12:15 AM: I targeted target.com's API endpoints. The ones I'd mapped for days. The ones that had rejected everything I'd thrown at them.

12:17 AM: The server responded differently this time. Not a 403. Not a 400. A different kind of error. The beautiful, terrible error that says: "You found it."

Chapter 4: The Delicate Dance

I had RCE. Complete server control. I could have run whoami. I could have read /etc/passwd. I could have... anything.

But here's what separates us from Earth Lamia: We stop when we prove the point.

I executed nothing. I accessed nothing. I created a single, harmless file:

/tmp/react2shell_proof_[timestamp].txt

Contents: "This system is vulnerable to CVE-2025-55182. Please patch immediately."

I didn't even read the file back. The file creation response was proof enough.

Chapter 5: The Report That Mattered

1:30 AM: I wasn't just writing a bug report. I was writing a danger notice.


Subject: CRITICAL URGENT: Unauthenticated RCE via React2Shell (CVE-2025-55182) in Production

Summary:
At approximately 12:17 AM,I discovered that target.com's Next.js implementation is vulnerable to React2Shell, allowing unauthenticated attackers to execute arbitrary code on your servers. China-linked threat groups are already actively exploiting this vulnerability across the internet.

Steps to Reproduce:

1. Target your Next.js API endpoint: POST /api/flight
2. Send malicious serialized Flight protocol payload (provided in PoC)
3. Observe server executing arbitrary commands
4. Note: I only proved file creation, no data accessed

Proof of Concept:


POST /api/flight HTTP/1.1
Host: target.com
Content-Type: application/json

[malicious serialized payload demonstrating RCE]


Full exploit withheld for security - available upon request

Impact Analysis:
CRITICAL RISK - CVSS 10.0

· Complete server compromise
· Data exfiltration potential
· Lateral movement to internal networks
· Reputational damage
· Regulatory compliance violations

Immediate Threat:

· Earth Lamia group already exploiting
· No authentication required
· Default configuration vulnerable
· Patch available but not applied

Resolution:

1. IMMEDIATE: Update Next.js to version 15.3.1+
2. TODAY: Apply React security patches
3. WITHIN 24 HOURS: Scan all React/Next.js instances
4. MONITORING: Watch for exploit attempts in logs

References:

· CVE-2025-55182 (React2Shell)
· AWS Threat Intelligence: Active China-linked exploitation
· BleepingComputer: Critical vulnerability alert
· Next.js security advisory: [link]

Ethical Notes:

· No data accessed or exfiltrated
· Only proved vulnerability existence
· Immediate disclosure upon discovery
· Willing to assist with patching verification

Chapter 6: The Morning After

8:15 AM: Response from target.com's security team:

"We've been patching since 6 AM. Your report came 6 hours before our scheduled security standup. You may have saved us from a major breach. We'll process your bounty immediately."

3 Days Later:

· Bounty: $10,000 (their maximum critical severity award) · Status: Added to their private researcher program · Patch: Deployed across all environments · Gratitude: CISO personally thanked me

But the real reward was in the CISO's follow-up:

"We had no idea we were vulnerable. Our scanners didn't pick it up. Our monitoring didn't alert. A news notification in your hands became our early warning system."

The Real Lesson: Context Over Scanning

What I learned:

1. Depth beats breadth: Knowing one target deeply is better than scanning a thousand shallowly 2. Persistence creates opportunity: Those three days of reconnaissance weren't wasted—they created the context for the breakthrough 3. News is a weapon (for defense): Security feeds aren't just information—they're tools 4. Timing is everything: The window between vulnerability disclosure and patching is where researchers add maximum value 5. Restraint is power: Having RCE and choosing not to use it is the ultimate ethical flex

Your Toolkit for Next Time

1. Wappalyzer + Cherry Tree = Target memory 2. Security feeds = Opportunity radar 3. Local lab = Safe testing ground 4. Ethical boundary = Professional integrity 5. Clear reporting = Maximum impact

The Epiphany Continues

Tonight, as I update my Cherry Tree notes:

Target: target.com
Status: PATCHED
Vulnerability: React2Shell (CVE-2025-55182)
Outcome: $10,000 bounty + systems secured
Lesson: Sometimes the answer comes when you stop looking at the target and start listening to the world around it.

The next critical CVE will drop. Another notification will glow in another dark room. Another researcher will connect dots that nobody else sees.

Will it be you?

#ethical-hacking #bug-bounty #vulnerability #penetration-testing #vulnerability-disclosure