Two China linked hacking groups have started weaponizing the newly revealed React Server Components vulnerability within hours of its public disclosure. The security flaw, tracked as CVE-2025-55182 with a maximum CVSS score of 10.0, allows unauthenticated remote code execution and has been patched in React versions 19.0.1, 19.1.2, and 19.2.1.
AWS Detects Rapid Exploitation Attempts
According to a report shared by Amazon Web Services, the groups Earth Lamia and Jackpot Panda attempted to exploit the flaw almost immediately.
CJ Moses, CISO at Amazon Integrated Security, said in a note shared with SCtoCS that AWS MadPot honeypots detected malicious traffic from infrastructure historically tied to Chinese state linked threat actors.
Earth Lamia was previously associated with attacks exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324). The group has targeted several sectors including financial services, logistics, retail, IT, education, and government organizations across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda, another China nexus threat actor, is known for targeting businesses connected to online gambling operations across East and Southeast Asia. The group has been active since at least 2020 and was previously involved in the Comm100 supply chain compromise, also tracked by ESET as Operation ChattyGoblin.
Links to Earlier Supply Chain Attacks
Investigations later indicated that the Chinese contractor I Soon may have played a role in the Comm100 incident due to infrastructure overlaps. CrowdStrike noted that attacks carried out by Jackpot Panda in 2023 mainly focused on Chinese speaking victims, which may point to domestic surveillance.
CrowdStrike also highlighted a case from May 2023 when attackers distributed a trojanized installer for CloudChat, a chat application used among Chinese speaking gambling groups. The installer deployed XShade, a custom implant linked to Jackpot Panda’s earlier CplRAT malware.
Attackers Target Multiple Vulnerabilities Simultaneously
AWS researchers also observed the threat actors exploiting CVE-2025-55182 along with other N day vulnerabilities, including a flaw in NUUO Camera systems (CVE-2025-1338, CVSS score 7.3). This activity suggests a broad scanning effort aimed at discovering unpatched systems worldwide.
Detected malicious actions included attempts to run reconnaissance commands such as whoami, create files like /tmp/pwned.txt, and access sensitive system data including /etc/passwd.
Evidence of Systematic and Rapid Adaptation
AWS emphasized that the attackers quickly integrated the exploit into their scanning operations, demonstrating a pattern where Chinese linked groups monitor new vulnerability disclosures and launch broad campaigns targeting multiple CVEs at once.
Cloudflare Outage Connected to React2Shell Patch
The widespread Cloudflare outage seen this week was also linked to efforts to deploy protections against React2Shell. The company stated that an internal change to its Web Application Firewall briefly caused network unavailability and triggered 500 error messages across various services.
Cloudflare clarified that it was not an attack. Instead, the issue was tied to adjustments made to mitigate the newly disclosed React Server Components vulnerability.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
