- Two China-linked Hacking groups are exploiting a critical React Server Components vulnerability known as React2Shell (CVE-2025-55182).
- The vulnerability allows unauthenticated remote code execution and affects React versions before 19.0.1, 19.1.2, and 19.2.1.
- Amazon Web Services observed exploitation attempts by the Earth Lamia and Jackpot Panda groups targeting multiple sectors worldwide.
- Cloudflare experienced a brief outage caused by a patch deployment for this vulnerability, not by a cyberattack.
Two hacking groups linked to China have rapidly exploited a newly revealed security flaw, CVE-2025-55182, affecting React Server Components (RSC). This maximum-severity vulnerability, also called React2Shell, allows unauthenticated remote code execution and has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1.
According to a report shared by Amazon Web Services (AWS), these groups, Earth Lamia and Jackpot Panda, have been detected attempting to exploit this flaw. AWS’s Chief Information Security Officer, CJ Moses, identified the threat actors’ infrastructure as historically tied to China state-sponsored groups, based on activity observed in AWS’s MadPot honeypot systems.
Earth Lamia previously exploited a critical SAP NetWeaver vulnerability (CVE-2025-31324) and has targeted sectors such as financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. Jackpot Panda’s targets primarily include entities involved in online gambling in East and Southeast Asia and have been active since at least 2020, known for supply chain compromises like the 2022 attack on the Comm100 chat application, tracked by ESET as Operation ChattyGoblin.
CrowdStrike reported Jackpot Panda’s use of trojanized installers targeting Chinese-speaking gambling communities, deploying implants with code similarities to Jackpot Panda’s unique CplRAT Malware. Additionally, a Chinese hacking contractor named I-Soon has been linked to some supply chain attacks associated with these activities.
AWS has also detected attempts to exploit other vulnerabilities, such as CVE-2025-1338 affecting NUUO Cameras, indicating a broader effort to scan for unpatched systems. Exploitation attempts observed include running system commands like “whoami,” writing files like “/tmp/pwned.txt,” and accessing sensitive files such as “/etc/passwd.” Moses stated this reflects a systematic campaign leveraging multiple vulnerabilities simultaneously to maximize successful intrusions.
In a related development, Cloudflare reported a brief network outage resulting in “500 Internal Server Error” responses. The company confirmed the issue stemmed from a Web Application Firewall update designed to mitigate the React2Shell vulnerability and clarified that the incident was not caused by an attack. More details are available in their official status report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
