GreyNoise Labs Weekly OAST Report: MCP Server Command Injection and React2Shell Exploitation Campaigns – Week Ending 2026-01-09
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
AI Analysis
Technical Summary
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
Potential Impact
The report contains original, timely, and detailed threat intelligence with actionable detection and mitigation guidance focused on recent exploitation campaigns, making it highly relevant and valuable for cybersecurity defenders.
Mitigation Recommendations
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
GreyNoise Labs Weekly OAST Report: MCP Server Command Injection and React2Shell Exploitation Campaigns – Week Ending 2026-01-09
Description
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
AI-Powered Analysis
Technical Analysis
This GreyNoise Labs report provides detailed analysis of out-of-band interaction domain (OAST) activity observed during January 3-9, 2026, identifying three distinct campaigns exploiting vulnerabilities including MCP server command injection and React2Shell (CVE-2025-55182). It includes comprehensive telemetry such as JA4 fingerprint clusters, payload samples, IOC tables, and detection recommendations, offering actionable intelligence for defenders.
Potential Impact
The report contains original, timely, and detailed threat intelligence with actionable detection and mitigation guidance focused on recent exploitation campaigns, making it highly relevant and valuable for cybersecurity defenders.
Mitigation Recommendations
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
Required Action
Integrate the provided IOCs and JA4 fingerprints into network detection tools and SIEMs to identify and block related scanning and exploitation attempts. Monitor for the described payload patterns and OAST callback domains, and apply relevant patches or mitigations for CVE-2025-55182 and MCP server vulnerabilities.
Technical Details
- Community Item Id
- 6963c58cda2266e838e6b48c
- Community Submitter Notes
- null
Threat ID: 6963c58cda2266e838e6b48f
Added to database: 1/11/2026, 3:45:16 PM
Last enriched: 1/11/2026, 3:45:16 PM
Last updated: 2/7/2026, 9:12:53 AM
Views: 190
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
In-Depth Analysis of Vietnamese Stealer: Python-Based Info Stealer Using Telegram C2 and DLL Sideloading
HighMicrosoft Desktop Window Manager Zero-Day Vulnerability (CVE-2026-20805) Actively Exploited; Urgent Patch Released
HighIn-depth Analysis of Trojanized WinRAR Installer Distributing Winzipper Malware
HighDetailed Analysis and PoC for CVE-2026-21440: Critical Path Traversal in AdonisJS Multipart Upload
HighBreachForums Hack Exposes Complete User Database of Major Dark Web Forum
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.