Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge.
The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1.
According to a new report shared by Amazon Web Services (AWS), two China-linked threat actors known as Earth Lamia and Jackpot Panda have been observed attempting to exploit the maximum-severity security flaw.
"Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors," CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News.
Specifically, the tech giant said it identified infrastructure associated with Earth Lamia, a China-nexus group that was attributed to attacks exploiting a critical SAP NetWeaver flaw (CVE-2025-31324) earlier this year.
The hacking crew has targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia.
The attack efforts have also originated from infrastructure related to another China-nexus cyber threat actor known as Jackpot Panda, which has primarily singled out entit
Source: https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html
TPRM report: https://www.rankiteo.com/company/react-security-lab
"id": "rea1764950234",
"linkid": "react-security-lab",
"type": "Vulnerability",
"date": "2025-12-05T00:00:00.000Z",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': ['Financial Services',
'Logistics',
'Retail',
'IT',
'Education',
'Government'],
'location': ['Latin America',
'Middle East',
'Southeast Asia'],
'name': None,
'size': None,
'type': ['Financial Services',
'Logistics',
'Retail',
'IT Companies',
'Universities',
'Government Organizations']}],
'attack_vector': 'Exploitation of software vulnerability '
'(CVE-2025-55182)',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'Two hacking groups with ties to China, Earth '
'Lamia and Jackpot Panda, have been observed '
'weaponizing the newly disclosed security flaw in '
'React Server Components (RSC) within hours of '
'its public disclosure. The vulnerability, '
'CVE-2025-55182 (CVSS score: 10.0), allows '
'unauthenticated remote code execution and has '
'been addressed in React versions 19.0.1, 19.1.2, '
'and 19.2.1. AWS identified exploitation activity '
'linked to these threat actors using its MadPot '
'honeypot infrastructure.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components (RSC)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'State-nexus cyber espionage/attack',
'post_incident_analysis': {'corrective_actions': 'Patch '
'management and '
'enhanced '
'monitoring for '
'exploitation '
'attempts.',
'root_causes': 'Unpatched '
'vulnerability in '
'React Server '
'Components '
'(CVE-2025-55182)'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Apply patches for CVE-2025-55182 (React '
'versions 19.0.1, 19.1.2, or 19.2.1) '
'immediately. Monitor for exploitation '
'attempts using enhanced detection '
'mechanisms.',
'references': [{'date_accessed': None,
'source': 'Amazon Web Services (AWS)',
'url': None},
{'date_accessed': None,
'source': 'The Hacker News',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': 'AWS MadPot honeypot '
'infrastructure',
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Patch to React versions '
'19.0.1, 19.1.2, or 19.2.1',
'third_party_assistance': 'Amazon Web Services '
'(AWS)'},
'threat_actor': ['Earth Lamia', 'Jackpot Panda'],
'title': 'Exploitation of React Server Components (RSC) '
'Vulnerability (CVE-2025-55182) by China-Linked Threat '
'Actors',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}}