GreyNoise Labs Weekly OAST Report: MCP Server Command Injection and React2Shell Exploitation Campaigns – Week Ending 2026-01-09
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
AI Analysis
Technical Summary
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
Potential Impact
The report contains original, timely, and detailed threat intelligence with actionable detection and mitigation guidance focused on recent exploitation campaigns, making it highly relevant and valuable for cybersecurity defenders.
Mitigation Recommendations
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
GreyNoise Labs Weekly OAST Report: MCP Server Command Injection and React2Shell Exploitation Campaigns – Week Ending 2026-01-09
Description
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
Potential Impact
The report contains original, timely, and detailed threat intelligence with actionable detection and mitigation guidance focused on recent exploitation campaigns, making it highly relevant and valuable for cybersecurity defenders.
Mitigation Recommendations
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
Required Action
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
Technical Details
- Community Item Id
- 6963c58cda2266e838e6b48c
- Community Submitter Notes
- null
Threat ID: 6963c58cda2266e838e6b48f
Added to database: 1/11/2026, 3:45:16 PM
Last enriched: 1/11/2026, 3:45:16 PM
Last updated: 3/24/2026, 11:22:30 AM
Views: 245
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.