This study addresses the absence of empirical evidence regarding the real-world exploitation of React2Shell, a critical remote code execution vulnerability in React Server Components, at internet scale. By leveraging active network telescope traffic and designing a deterministic detection methodology, this work presents the first large-scale quantitative characterization of exploitation activities targeting this vulnerability. The analysis reveals an immediate surge in automated scanning following public disclosure, identifying thousands of distinct scanners distributed across multiple geographic regions and autonomous systems. Furthermore, the investigation uncovers a highly centralized attack infrastructure underlying these seemingly distributed scans, elucidating the coordination mechanism between decentralized scanning activity and centralized command-and-control operations.

The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability (CVE-2025-55182) in React Server Components, referred to as React2Shell, was publicly disclosed and subsequently observed being exploited in the wild. Despite its critical severity and a CVSS base score of 10.0, there is limited empirical understanding of how this vulnerability is exploited across the Internet. This paper presents the first Internet-scale measurement study of React2Shell exploitation activity using traffic collected from an Active Network Telescope. We developed a deterministic detection methodology that identifies exploitation attempts targeting endpoints implementing React Server components. It helped analyze exploitation traffic to characterize its temporal evolution, geographic and autonomous system-level distribution, and behavioral properties of the observed scanning activity. In addition, exploit payloads are examined to understand the attacker infrastructure and delivery mechanisms. The analysis reported rapid post-disclosure exploitation activity exhibiting patterns consistent with automated scanning campaigns, geographically distributed scanners, and concentrated backend infrastructure. To the best of our knowledge, this work provides the first quantitative characterization of React2Shell-triggered scanning activity, including the number of distinct scanners, their geographic and autonomous system distribution, and the scale of backend infrastructure involved in exploitation attempts.