The investigation into the cyberattack targeting a production Next.js application identified the exploitation of a critical vulnerability, CVE-2025-55182 (React2Shell), which allows for remote code execution (RCE). An analysis of over 12,000 log entries demonstrated that attackers successfully executed commands on the server. The initial exploitation initiated through a malformed HTTP POST request containing a malicious React Server Component (RSC) Flight payload, abusing a deserialization flaw. This vulnerability, disclosed in December 2025 and rated CVSS 10.0, quickly garnered attention due to widespread active exploitation.