China APTs Exploiting React Server RCE (CVE-2025-55182) Hours After Disclosure
Two China-linked hacking groups began exploiting a critical vulnerability in React Server Components just hours after it became public. The flaw — CVE-2025-55182, rated a maximum 10 — has already been dubbed React2Shell and enables remote execution of arbitrary code on a vulnerable server without any form of authentication. Although the issue has been patched in React versions 19.0.1, 19.1.2, and 19.2.1, unpatched projects remain effortless prey for attackers.
According to a report from Amazon Web Services, attempts to weaponize React2Shell were detected within AWS’s MadPot honeypot infrastructure. Logs revealed activity from IP addresses and servers previously associated with Chinese state-linked groups. Analysts identified two distinct campaigns, now tracked as Earth Lamia and Jackpot Panda.
Earth Lamia is described as a China-aligned group previously accused of exploiting a critical flaw in SAP NetWeaver (CVE-2025-31324). Its targets span a wide range of industries — financial institutions, logistics companies, retail, the IT sector, universities, and government agencies across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda, by contrast, traditionally focuses on organizations involved in online gambling or supporting that market in East and Southeast Asia. CrowdStrike reports that the group has been active since at least 2020 and often infiltrates victims through trusted third parties, abusing compromised partner chains to install malicious implants and obtain initial access.
Security is not optional. It is imperative.
Subscribe to us.
Jackpot Panda is also linked to the 2022 supply-chain compromise of Comm100’s chat software — an operation ESET tracks as ChattyGoblin. Later evidence suggested that the Chinese contractor I-Soon may have been involved, based on overlaps in operational infrastructure. By 2023, however, many attacks shifted toward Chinese-speaking users, hinting at possible domestic-surveillance objectives.
Researchers further note that in one campaign the attackers used a trojanized installer for CloudChat, a messaging app popular within underground Chinese-language gambling communities. The installer, distributed via the app’s website, initiated a multi-stage chain that deployed a new implant named XShade, which shares code lineage with Jackpot Panda’s signature malware, CplRAT.
Amazon also reports that alongside React2Shell, the same actors are actively exploiting other known vulnerabilities — among them, a flaw in NUUO cameras (CVE-2025-1338, CVSS 7.3). This indicates that the operators are not fixated on a single entry point but are conducting mass internet-wide scanning for any unpatched systems, chaining multiple CVEs into the same wave of attacks.
In the observed exploitation attempts, attackers issued basic reconnaissance commands such as whoami, created files like /tmp/pwned.txt, and attempted to read system files containing potentially sensitive information, including /etc/passwd. Such actions help determine whether the exploit has succeeded before escalating to deeper intrusion.
According to Amazon Chief Security Officer CJ Moses, this pattern is characteristic of well-established advanced groups: they continuously monitor vulnerability disclosures, rapidly integrate newly published exploits into their scanning frameworks, and launch broad campaigns across multiple flaws at once to maximize their chances of finding unprotected targets. For operators of sites and services using React, the conclusion is unequivocal: if an application relies on React Server Components and has not yet been updated to the patched versions, it must be upgraded immediately — and closely monitored for signs of compromise.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
