React2Shell Under Attack Chinese Hackers Pounce on New Vulnerability

Two hacking groups with suspected ties to China were spotted actively exploiting a newly revealed security hole in React Server Components (RSC) almost immediately after the information went public.

We're talking about CVE-2025-55182 (a perfect 10.0 CVSS score!), also known as React2Shell. This nasty vulnerability allows for unauthenticated remote code execution. The good news? Patches are available in React versions 19.0.1, 19.1.2, and 19.2.1, so update now!

According to a fresh report from Amazon Web Services (AWS), these attempts to exploit the vulnerability were linked to two known China-affiliated threat actors: Earth Lamia and Jackpot Panda.

"Our analysis... has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors," said CJ Moses, CISO of Amazon Integrated Security, in a report.

Specifically, AWS identified infrastructure connected to Earth Lamia, a group previously linked to attacks exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) earlier in the year.

This group has a broad range of targets, including financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia.

The attacks were also traced back to infrastructure associated with Jackpot Panda, another China-linked threat actor. They typically focus on entities involved in or supporting online gambling, particularly in East and Southeast Asia.

CrowdStrike says Jackpot Panda has been active since at least 2020, targeting trusted third-party relationships to deploy malicious implants and gain initial access. They were even connected to the supply chain compromise of the Comm100 chat app back in September 2022. ESET tracks this activity as Operation ChattyGoblin.

Further digging suggests that a Chinese hacking contractor, I-Soon, may have been involved in the supply chain attack, with infrastructure overlaps as evidence. Interestingly, attacks attributed to I-Soon in 2023 primarily targeted Chinese-speaking victims, hinting at possible domestic surveillance.

"Beginning in May 2023, the adversary used a trojanized installer for CloudChat, a China-based chat application popular with illegal, Chinese-speaking gambling communities in Mainland China," CrowdStrike stated in their Global Threat Report last year.

"The trojanized installer... deployed XShade – a novel implant with code that overlaps with Jackpot Panda's unique CplRAT implant."

Amazon also detected these threat actors exploiting 2025-55182 alongside other known vulnerabilities (N-day flaws), including one in NUUO Camera (CVE-2025-1338), suggesting a broad effort to scan the internet for unpatched systems.

The observed activity included attempts to run discovery commands (like "whoami"), write files ("/tmp/pwned.txt"), and read files containing sensitive information (like "/etc/passwd").

"This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns... to maximize their chances of finding vulnerable targets," Moses explained.

Cloudflare Blames Outage on React2Shell Patch

In related news, Cloudflare experienced a brief but widespread outage, causing websites to display a "500 Internal Server Error" message.

"A change made to how Cloudflare's Web Application Firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning," the company said. "This was not an attack; the change was deployed... to help mitigate the industry-wide vulnerability disclosed this week in React Server Components."