Chinese Hackers Exploit React2Shell Vulnerability in React Server Components
Within hours of the public disclosure of a critical security flaw in React Server Components (RSC), two Chinese state-sponsored hacking groups, Earth Lamia and Jackpot Panda, have been observed actively exploiting the vulnerability. This flaw, identified as CVE-2025-55182 and dubbed React2Shell, carries a maximum severity rating with a CVSS score of 10.0, enabling unauthenticated remote code execution. The issue has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1.
Amazon Web Services (AWS) reported that its MadPot honeypot infrastructure detected exploitation attempts originating from IP addresses and infrastructure historically linked to these Chinese state-nexus threat actors. CJ Moses, CISO of Amazon Integrated Security, stated that their analysis identified activity from Earth Lamia, a group previously associated with attacks exploiting a critical SAP NetWeaver flaw (CVE-2025-31324) earlier this year. Earth Lamia has targeted sectors including financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda, active since at least 2020, has primarily targeted entities involved in or supporting online gambling operations in East and Southeast Asia. The group has been linked to the supply chain compromise of the chat application Comm100 in September 2022, an incident tracked by ESET as Operation ChattyGoblin. Notably, attacks by Jackpot Panda in 2023 have focused on Chinese-speaking victims, indicating possible domestic surveillance activities.
AWS also detected threat actors exploiting CVE-2025-55182 alongside other known vulnerabilities, such as a flaw in NUUO Camera (CVE-2025-1338, CVSS score: 7.3). This suggests a broader campaign to scan the internet for unpatched systems. The observed activities include attempts to execute discovery commands (e.g., whoami), write files (e.g., /tmp/pwned.txt), and read files containing sensitive information (e.g., /etc/passwd).
This rapid exploitation underscores the importance of promptly applying security patches to mitigate potential threats. Organizations using React Server Components are strongly advised to update to the latest versions to protect against these vulnerabilities.
