Two hacking groups linked to China have been detected weaponizing the newly disclosed vulnerability in React Server Components (RSC), known as React2Shell. The exploit was observed just hours after the existence of the flaw was made public, underscoring how quickly threat actors integrate new exploits into their campaigns.
The React2Shell Vulnerability (CVE-2025-55182)
The vulnerability in question is CVE-2025-55182, which has received a CVSS score of 10.0, indicating its maximum severity. This flaw allows unauthenticated remote code execution (RCE).
- Impact: Allows an attacker to execute arbitrary code without requiring prior authentication.
- Mitigation: The vulnerability has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1.
Threat Actors Linked to China
According to a report from Amazon Web Services (AWS), CVE-2025-55182 exploitation activity was detected in the AWS MadPot honeypot infrastructure, identifying exploitation attempts originating from IP addresses historically linked to threat actors with Chinese state ties. The specific groups identified are Earth Lamia and Jackpot Panda.
Earth Lamia
Earth Lamia is a China-linked threat group that has previously been associated with attacks exploiting other critical vulnerabilities, such as a flaw in SAP NetWeaver (CVE-2025-31324) earlier this year.
- Sectors Affected: Financial services, logistics, retail, IT companies, universities and government organizations.
- Target Regions: Latin America, the Middle East and Southeast Asia.
Jackpot Panda
Jackpot Panda is another Chinese threat actor that primarily targets entities engaged in online gambling operations in East and Southeast Asia.
- Operational History: Active since at least 2020, has focused on compromising trusted third-party relationships to deploy malicious implants.
- Notorious Attack: Was involved in the supply chain compromise of the Comm100 chat application in September 2022, activity tracked by ESET as “Operation ChattyGoblin”.
- Recent Tactics: In 2023, he used a trojanized installer of the CloudChat chat application (popular among Chinese-speaking gaming communities) to deploy XShade, an implant with code overlays with Jackpot Panda’s CplRAT implant.
Observed Attack Methodology
AWS has observed that threat actors are actively exploiting CVE-2025-55182 along with other N-day flaws, such as a vulnerability in NUUO Camera (CVE-2025-1338). This suggests a broad scan of the Internet for unpatched systems.
Attack attempts include:
- Execution of recognition commands (
whoami). - Writing files to temporary locations (
/tmp/pwned.txt). - Reading files containing sensitive information (
/etc/passwd).
This approach demonstrates a systematic approach by threat actors, who monitor new vulnerability disclosures, quickly integrate public exploits into their scanning infrastructure, and conduct broad, simultaneous campaigns to maximize their chances of finding vulnerable targets.
References
- Vulnerabilities: CVE-2025-55182 (React2Shell), CVE-2025-31324 (SAP NetWeaver flaw), CVE-2025-1338 (NUUO Camera flaw)
- Threat Actors: Earth Lamia, Jackpot Panda
- Reports Cited: Amazon Web Services (AWS) Report, CrowdStrike’s Global Threat Report, ESET’s Operation ChattyGoblin.
- React patches: Versions 19.0.1, 19.1.2 and 19.2.1.
Conclusion
The rapid adoption of the React2Shell vulnerability by sophisticated hacking groups underscores the importance of proactive patch management. Organizations should closely monitor critical vulnerability disclosures and apply patches as soon as they are available to mitigate the risk of falling victim to these widespread exploitation campaigns.