Chinese Hackers Exploited The Recently Revealed React2Shell Vulnerability -

Post Views: 90

Chinese Hackers Exploited The Recently Revealed React2Shell Vulnerability

Within hours of the recently revealed security issue in React Server Components (RSC) being made public, two hacking groups with connections to China were seen using it as a weapon.

CVE-2025-55182 (CVSS score: 10.0), also known as React2Shell, is the vulnerability in question. It permits unauthenticated remote code execution. React versions 19.0.1, 19.1.2, and 19.2.1 have addressed it.

Two threat actors with ties to China, Earth Lamia and Jackpot Panda, have been seen trying to take advantage of the maximum-severity security vulnerability, according to a recent study released by Amazon Web Services (AWS).

According to a report shared with News4Hackers, “Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors,” stated CJ Moses, CISO of Amazon Integrated Security.

The IT giant specifically claimed to have discovered infrastructure connected to Earth Lamia, a China-nexus group that was linked to attacks earlier this year that took advantage of a significant SAP NetWeaver hole (CVE-2025-31324).

The hacking group has targeted businesses in Latin America, the Middle East, and Southeast Asia, including financial services, retail, logistics, IT firms, academic institutions, and government agencies.

Infrastructure connected to Jackpot Panda, another China-nexus cyber threat actor, has also been the source of the assault attempts. Jackpot Panda has mostly targeted organizations involved in or supporting online gambling operations in East and Southeast Asia.

According to CrowdStrike, Jackpot Panda has been operating since at least 2020 and has targeted partnerships with reliable third parties in an effort to install harmful implants and obtain first access. The threat actor was notably linked to the September 2022 supply chain breach of the messaging app Comm100. ESET is monitoring the activities under the name Operation ChattyGoblin.

Since then, it has come to light that the supply chain attack may have implicated I-Soon, a Chinese hacker contractor, citing infrastructure overlaps. Remarkably, the group’s 2023 attacks have mostly targeted individuals who speak Chinese, suggesting potential domestic spying.

According to CrowdStrike’s Global Threat Report from last year, “starting in May 2023, the adversary used a trojanized installer for CloudChat, a China-based chat application popular with illegal, Chinese-speaking gambling communities in Mainland China.”

“The compromised installer available on CloudChat’s website was the initial phase of a multi-step procedure that eventually delivered XShade – a new implant featuring code that parallels Jackpot Panda’s distinctive CplRAT implant.”

Amazon also reported detecting cybercriminals taking advantage of 2025-55182 in conjunction with various N-day vulnerabilities, including an issue in NUUO Camera (CVE-2025-1338, with a CVSS score of 7.3), indicating more extensive efforts to scan the internet for unpatched systems.

The detected activities consist of attempts to execute discovery commands (such as whoami), create files (“/tmp/pwned.txt”), and access files that hold sensitive information (like “/etc/passwd”).

“This illustrates a methodical process: threat actors track new vulnerability announcements, quickly incorporate public exploits into their scanning systems, and carry out extensive campaigns targeting several Common Vulnerabilities and Exposures (CVEs) at once to increase their likelihood of identifying vulnerable targets,” Moses stated.

Cloudflare Blames Outage on React2Shell Patch

The development coincides with a temporary but widespread outage of Cloudflare that resulted in a “500 Internal Server Error” notice being returned by websites and online platforms.

Cloudflare Blames Outage on React2Shell Patch

The development coincides with a temporary but widespread outage of Cloudflare that resulted in a “500 Internal Server Error” notice being returned by websites and online platforms.

A modification in the way Cloudflare’s Web Application Firewall interprets requests led to Cloudflare’s network experiencing downtime for several minutes this morning, according to a statement released by the company on Friday. “This incident was not the result of an attack; the adjustment was implemented by our team to address the industry-wide vulnerability revealed earlier this week concerning React Server Components.”

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Security BSides Dehradun 0x02 Cybersecurity Conference 7th to 11th Janauary At Dehradhun