CVE-2025-55182 (React2Shell): Targeted Exploitation Campaign Against FortiWeb Appliances Using Sliver C2
Estimated reading time: 6 minutes
Key Takeaways:
- Active exploitation of CVE-2025-55182 (React2Shell) is targeting FortiWeb appliances to achieve initial Remote Code Execution (RCE).
- Threat actors are deploying the Sliver C2 framework and using Fast Reverse Proxy (FRP) to bypass inbound firewall rules.
- The campaign exhibits specific geopolitical targeting, focused primarily on South Asian government and financial sectors.
- The inherent visibility gap on edge appliances makes detecting these masqueraded processes (like
cups-lpd) extremely difficult without specialized monitoring.
Table of Contents:
- “Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign
- Technical Analysis of CVE-2025-55182 and React2Shell
- Persistence and Stealth Mechanisms
- Geopolitical Targeting and Victimology
- The Visibility Gap in Edge Appliances
- Strategic Context and Infrastructure
- Practical Takeaways for Technical Teams
- Practical Takeaways for Business Leaders
- How PurpleOps Addresses These Threats
- Frequently Asked Questions
“Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign
Technical analysis of recent network logs and exposed databases reveals an active exploitation campaign targeting FortiWeb web application firewalls. Identified by threat researcher c0baltstrik3d, the operation utilizes a combination of the Sliver Command and Control (C2) framework and the React2Shell vulnerability, tracked as CVE-2025-55182. This activity, which occurred primarily between December 22 and December 30, 2025, successfully compromised at least 30 unique victim environments within an eight-day window.
The campaign demonstrates a focus on persistence within edge appliances, a category of hardware often characterized by limited visibility and lack of traditional endpoint detection and response (EDR) capabilities. By targeting FortiWeb devices, the threat actors gain a strategic foothold at the perimeter, allowing for subsequent lateral movement or data exfiltration. The use of a cyber threat intelligence platform is essential for identifying such patterns before they escalate into full-scale breaches.
Technical Analysis of CVE-2025-55182 and React2Shell
The primary entry point for this campaign involves the exploitation of CVE-2025-55182, also known as React2Shell. While specific Proof of Concept (PoC) details for the FortiWeb implementation of this exploit are often closely guarded by threat actors, the analysis of victim databases and server logs confirms its effectiveness. React2Shell allows for remote code execution (RCE) on the target appliance, providing the attacker with initial access at a high privilege level.
Once the initial breach is achieved, the attackers deploy the Sliver C2 framework. Sliver is an open-source, cross-platform implant framework that provides features similar to Cobalt Strike but with different signatures and communication protocols. The choice of Sliver suggests an intent to evade detection systems optimized for more common commercial C2 tools. Integrating a live ransomware API and real-time ransomware intelligence into a security stack can assist in identifying the transition from initial access to the deployment of such frameworks, which are frequently precursors to extortion events.
Persistence and Stealth Mechanisms
The threat actor employed several methods to maintain access and mask their presence on the compromised FortiWeb devices.
Fast Reverse Proxy (FRP) Deployment
Attackers utilized Fast Reverse Proxy (FRP) to expose local services on the victim hosts to the internet. By setting up a reverse proxy, the attackers can bypass inbound firewall rules, as the connection is initiated from within the internal network to a remote server controlled by the adversary. This allows for persistent remote management of the compromised appliance without needing to maintain a direct, exposed listener on the FortiWeb device itself.
Masquerading via Microsocks
To further hide their activity, the group deployed a tool called microsocks. In a tactical move designed to deceive network administrators and automated scanners, the binary was renamed to cups-lpd. The attackers then bound this process to port 515. Port 515 is traditionally associated with the Line Printer Daemon (LPD) used by the Common Unix Printing System (CUPS).
This masquerading technique aims to make malicious proxy traffic appear as legitimate internal printing communication. In environments where edge appliances are not strictly monitored for process anomalies, such a change might go unnoticed for extended periods. This emphasizes the need for a comprehensive dark web monitoring service and underground forum intelligence to track the tradecraft being shared among actors who specialize in edge-device exploitation.
Geopolitical Targeting and Victimology
Data recovered from the attackers’ infrastructure indicates a specific geopolitical focus. Command and Control (C2) domains, such as ns1.bafairforce[.]army, were found to host decoy pages. One specific decoy impersonated the “Join Bangladesh Airforce” recruitment portal. This type of infrastructure setup is a clear indicator of targeted operations rather than opportunistic scanning.
Victim analysis reveals that the campaign targeted organizations in:
- Bangladesh: High concentration of government and financial sector targets.
- Pakistan: Additional targets identified within similar critical infrastructure sectors.
The use of specific regional themes suggests the threat actor possesses localized knowledge and is likely conducting espionage or disruptive activities directed at South Asian government entities. Utilizing telegram threat monitoring can provide early warnings of such localized campaigns, as many regional threat groups coordinate or leak data through encrypted messaging channels.
The Visibility Gap in Edge Appliances
A significant challenge in detecting this campaign is the inherent nature of edge appliances like FortiWeb. Unlike traditional servers or workstations, these devices often run on proprietary or stripped-down versions of Linux/Unix. Consequently, they rarely support the installation of third-party security agents like EDR or Antivirus (AV).
This creates a “blind spot” in corporate visibility. When an attacker exploits a vulnerability like CVE-2025-55182, they operate in a space where telemetry is limited to basic system logs-logs that the attacker can often modify or delete if they gain root access. Organizations must rely on external breach detection methods and network-level analysis to identify anomalies, such as unexpected FRP traffic or unusual port 515 activity.
Strategic Context and Infrastructure
The infrastructure used in this campaign was identified through routine open-directory threat hunting. The fact that logs and databases were exposed suggests that while the attackers are technically proficient in exploitation, their operational security (OPSEC) regarding their own C2 infrastructure was flawed.
However, the speed at which 30 victims were onboarded-less than ten days-indicates a high level of automation in their scanning and exploitation pipeline. This highlights the necessity for supply-chain risk monitoring, as edge appliances form a critical link in the security supply chain for most enterprises. If the management interface of a WAF is compromised, the security of every application behind it is jeopardized.
Furthermore, the impersonation of a military recruitment site points toward a broader strategy involving social engineering or credential harvesting, necessitating brand leak alerting to protect organizational reputation and prevent the use of look-alike domains for malicious purposes.
Practical Takeaways for Technical Teams
For engineers and security operations center (SOC) analysts, the following technical actions are recommended to address the risks associated with CVE-2025-55182 and similar campaigns:
- Log Analysis for Edge Devices: Prioritize the ingestion of syslog data from FortiWeb and other edge appliances into a centralized SIEM. Look for execution of unauthorized binaries or unusual shell activity.
- Network Profiling: Monitor for outbound connections on non-standard ports or known proxy ports. Specifically, inspect traffic on port 515 to ensure it originates from authorized print servers.
- Audit Listening Processes: Regularly audit listening ports on appliances. The presence of
cups-lpdon a device that does not serve a printing function is a high-fidelity indicator of compromise. - Review FRP Traffic: Inspect network traffic for the characteristic handshake of Fast Reverse Proxy. Block known FRP public relay servers at the egress point.
- Credential Rotation: In the event of a suspected compromise, rotate all credentials managed by or stored on the FortiWeb appliance, including API keys and SSL certificates.
Practical Takeaways for Business Leaders
For executives and decision-makers, the campaign against FortiWeb highlights broader systemic risks:
- Visibility Investment: Recognize that “black box” appliances require external monitoring. Invest in network-layer visibility to compensate for the lack of on-device EDR.
- Geopolitical Risk Assessment: Organizations operating in or near the South Asian region should acknowledge the heightened threat of targeted espionage and adjust their threat models accordingly.
- Patch Management Prioritization: Vulnerabilities in edge devices (like CVE-2025-55182) must be patched with higher priority than internal systems, as they are directly exposed to the internet.
- Third-Party Intelligence: Leverage external intelligence to monitor for mentions of corporate assets in underground forums.
How PurpleOps Addresses These Threats
PurpleOps provides the necessary tools and expertise to defend against sophisticated campaigns targeting edge infrastructure. Through our cyber threat intelligence platform, we offer visibility into emerging vulnerabilities like CVE-2025-55182 before they are widely exploited.
Our services include:
- Dark Web Monitoring: We utilize our dark web monitoring service to track the development of exploits and the sale of access to compromised FortiWeb devices.
- Attack Surface Management: We identify exposed management interfaces and unauthorized proxies like FRP that could lead to a breach.
- Threat Hunting: Our team performs deep analysis of network telemetry to uncover masqueraded processes and C2 communication.
- Real-time Alerting: Through brand leak alerting and telegram threat monitoring, we provide early warning signs of infrastructure being used in targeted geopolitical campaigns.
To secure your perimeter and close the visibility gap on your edge appliances, explore our full suite of services:
- PurpleOps Cyber Threat Intelligence
- Dark Web Monitoring
- Supply Chain Information Security
- Protect Against Ransomware
For more information on how to protect your organization from edge appliance exploitation or to request a review of your current security posture, visit our PurpleOps Solutions or contact our team directly through our platform.
Frequently Asked Questions
What is React2Shell (CVE-2025-55182)?
It is a critical vulnerability affecting FortiWeb appliances that allows attackers to achieve Remote Code Execution (RCE), providing high-level access to the device.
Why are edge appliances targeted in this campaign?
Edge appliances often lack traditional security agents (EDR/AV), creating a “blind spot” where attackers can operate with limited local telemetry.
How do attackers use “cups-lpd” for masquerading?
Attackers rename malicious proxy tools (like microsocks) to cups-lpd and bind them to port 515 to make malicious traffic look like legitimate printer communication.
What is the role of Sliver C2 in this campaign?
Sliver is an open-source Command and Control framework used to manage compromised hosts, chosen by actors to evade detection systems tuned for Cobalt Strike.