Two hacking groups linked to China began exploiting a new security flaw in React Server Components (RSC) within hours of its public disclosure. The vulnerability is CVE-2025-55182, also called React2Shell, which carries a CVSS score of 10.0 and allows unauthenticated remote code execution. This flaw has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1.
A new report from Amazon Web Services (AWS) details that two China-linked threat actors, Earth Lamia and Jackpot Panda, were seen attempting to exploit this maximum-severity security flaw. CJ Moses, CISO of Amazon Integrated Security, stated that analysis of
exploitation attempts in the AWS MadPot honeypot infrastructure identified activity from IP addresses historically linked to known China state-nexus threat actors. Specifically, AWS identified infrastructure associated with Earth Lamia, a group previously attributed to attacks exploiting a critical SAP NetWeaver flaw (CVE-2025-31324) earlier this year. Earth Lamia has targeted financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia.
Attack efforts also originated from infrastructure related to Jackpot Panda, another China-nexus cyber threat actor. Jackpot Panda primarily targets entities involved in or supporting online gambling operations in East and Southeast Asia. CrowdStrike assesses Jackpot Panda has been active since at least 2020. They focus on trusted third-party relationships to deploy malicious implants and gain initial access. This threat actor was connected to the supply chain compromise of the chat app Comm100 in September 2022. This activity is tracked by ESET as Operation ChattyGoblin. A Chinese hacking contractor, I-Soon, may have been involved in the supply chain attack, citing infrastructure overlaps. Interestingly, the group's 2023 attacks mainly focused on Chinese-speaking victims, suggesting possible domestic surveillance. CrowdStrike noted that beginning in May 2023, the adversary used a trojanized installer for CloudChat, a China-based chat application popular with illegal Chinese-speaking gambling communities in Mainland China. The trojanized installer deployed XShade, a novel implant with code that overlaps with Jackpot Panda's unique CplRAT implant.
Amazon also detected threat actors exploiting React2Shell along with other N-day flaws. This includes a vulnerability in NUUO Camera (CVE-2025-1338, CVSS score: 7.3), suggesting broader internet scanning for unpatched systems. The observed activity involves attempts to run discovery commands like whoami, write files like "/tmp/pwned.txt", and read files containing sensitive information such as "/etc/passwd". Moses concluded that this demonstrates a systematic approach. Threat actors quickly monitor new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets.
This development occurred as Cloudflare experienced a brief but widespread outage, causing websites and online platforms to display a "500 Internal Server Error" message. Cloudflare stated the outage was not an attack. Instead, it was caused by a change to how their Web
Application Firewall parses requests. This change was deployed by their team specifically to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
