Modern businesses rely heavily on web applications to run operations and serve customers. So when a critical vulnerability appears in widely used software, it can have an immediate and widespread impact.
React2Shell was one such vulnerability. Actively exploited and capable of giving attackers full control of exposed systems, it posed a serious risk across multiple sectors. In this case, early intelligence, rapid analysis and targeted client alerts helped to mitigate the risk before it escalated into major incidents.
How the issue was identified
In December 2025, our threat sources indicated that a newly disclosed vulnerability was affecting components of the React server, a framework used by millions of websites worldwide. When subsequent alerts confirmed the issue – later dubbed React2Shell – was already being exploited, the issue was classified as critical.
With a maximum CVSS score, React2Shell allowed unauthenticated attackers to execute code remotely on exposed servers. Once attackers gained access, they were free to deploy additional tools to maintain access. This opened the door to data theft, lateral movement and even ransomware. And even if vulnerabilities were patched quickly, systems that had already been compromised could remain at risk if hidden backdoors were left behind. In other words, organizations could believe the issue was resolved while attackers still had access.
Why speed mattered in protecting businesses
Without early identification and targeted alerts, many organizations would have remained unaware that they were exposed or already compromised. The vulnerability was so severe and easy to exploit that threat actors began exploiting it at scale within hours. That speed is exactly why proactive monitoring matters – matching the attacker’s pace helps to stop them before they can take advantage.
Once the severity and reach of React2Shell was confirmed, our proactive cyber security team assessed the exposure by mapping the global attack surface to identify internet‑exposed React servers, alongside indicators of active compromise.
These findings were then matched against our CFC customer portfolio to identify insureds genuinely at risk. In total, we notified over 500 clients through targeted alerts, with clear, actionable guidance to patch immediately and assess for compromise.
Follow‑up analysis showed that 83% of affected systems were remediated shortly after notification, significantly reducing the exposure and showing how focused alerts are vital in fast‑moving incidents.
Impact and risk avoided
Based on exposure data and remediation timelines, the potential cost for each exploited business could have run into the tens of thousands – creating a systemic-sized combined cost that would have caused widescale disruption. This shows how early action can make a material difference in helping to keep businesses secure – and keep entire industries on track.
In real terms, delayed detection could have resulted in ransomware incidents, extended outages, regulatory exposure and significant recovery costs.
Key takeaways
Proactive cyber reduces loss: Investing in a cyber policy that identifies and works to reduce risk before incidents occur can significantly limit disruption, cost and potential claims
Speed is critical: Early identification and response significantly reduce risk when a vulnerability is being actively exploited.
Patching alone isn’t enough: Organizations must also check whether attackers gained access before fixes were applied.
Targeted alerts cut through noise: Focusing on customers who are genuinely at risk helps drive faster, more effective action.
When critical vulnerabilities are exploited at scale, minutes can make a meaningful difference in mitigating financial and operational fallout. That’s why proactive monitoring and actionable alerts are so valuable in today’s dynamic threat landscape.
Explore our full set of case studies showing how proactive cyber attack prevention helps to keep businesses secure and claims examples demonstrating how cyber insurance steps in to provide vital support.
If you have any questions, please get in touch.
Meet the author
Jason Hart is Managing Director of Proactive and Global Cyber Security Services at CFC. He leads CFC’s global cyber security services, bringing together threat intelligence, incident response and managed security to prevent cyber incidents and minimize impact for clients worldwide.
