Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability

Vulnerability / Software Security

Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge.

The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1.

According to a new report shared by Amazon Web Services (AWS), two China-linked threat actors known as Earth Lamia and Jackpot Panda have been observed attempting to exploit the maximum-severity security flaw.

“Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors,” CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News.

Specifically, the tech giant said it identified infrastructure associated with Earth Lamia, a China-nexus group that was attributed to attacks exploiting a critical SAP NetWeaver flaw (CVE-2025-31324) earlier this year.

The hacking crew has targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia.

The attack efforts have also originated from infrastructure related to another China-nexus cyber threat actor known as Jackpot Panda, which has primarily singled out entities that are either engaged in or support online gambling operations in East and Southeast Asia.

Jackpot Panda, per CrowdStrike, is assessed to be active since at least 2020, and has targeted trusted third-party relationships in an attempt to deploy malicious implants and gain initial access. Notably, the threat actor was connected to the supply chain compromise of a chat app known as Comm100 in September 2022. The activity is tracked by ESET as Operation ChattyGoblin.

It has since emerged that a Chinese hacking contractor, I-Soon, may have been involved in the supply chain attack, citing infrastructure overlaps. Interestingly, attacks mounted by the group in 2023 have primarily focused on Chinese-speaking victims, indicating possible domestic surveillance.

“Beginning in May 2023, the adversary used a trojanized installer for CloudChat, a China-based chat application popular with illegal, Chinese-speaking gambling communities in Mainland China,” CrowdStrike said in its Global Threat Report released last year.

“The trojanized installer served from CloudChat’s website contained the first stage of a multi-step process that ultimately deployed XShade – a novel implant with code that overlaps with Jackpot Panda’s unique CplRAT implant.”

Amazon said it also detected threat actors exploiting 2025-55182 along with other N-day flaws, including a vulnerability in NUUO Camera (CVE-2025-1338, CVSS score: 7.3), suggesting broader attempts to scan the internet for unpatched systems.

The observed activity involves attempts to run discovery commands (e.g., whoami), write files (“/tmp/pwned.txt”), and read files containing sensitive information (e.g., “/etc/passwd”).

“This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets,” Moses said.

Cloudflare Blames Outage on React2Shell Patch

The development comes as Cloudflare experienced a brief but widespread outage that caused websites and online platforms to return a “500 Internal Server Error” message.

“A change made to how Cloudflare’s Web Application Firewall parses requests caused Cloudflare’s network to be unavailable for several minutes this morning,” the web infrastructure provider said in a statement Friday. “This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.