Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 6 December 2025 09:19
We often discuss on this site that the window between the publication of an exploit and the launch of active attacks is drastically shrinking. For this reason, it’s increasingly crucial to increase attention to system patching, adopting timely and rigorous update processes to minimize the risk of compromise.
Two hacker groups with ties to China began exploiting a critical vulnerability in React Server components just hours after it was publicly disclosed . The vulnerability, CVE-2025-55182, has a maximum vulnerability rating of 10 and has been nicknamed ” React2Shell ” by the community. It allows remote code execution without authentication on the vulnerable server. The issue has already been fixed in React versions 19.0.1, 19.1.2, and 19.2.1, but unpatched projects remain easy prey for attackers .
According to a report from Amazon Web Services, attempts to exploit React2Shell were detected in the AWS MadPot honeypot infrastructure. Logs showed hacker activity originating from IP addresses and servers previously linked to Chinese state-sponsored groups. Analysts identified two campaigns involved, called Earth Lamia and Jackpot Panda.
Earth Lamia is described as a China-affiliated group previously accused of exploiting a critical vulnerability in SAP NetWeaver (CVE-2025-31324). Its interests are not limited to a single sector: it has targeted financial institutions, logistics companies, retail companies, the IT sector, universities, and government agencies in Latin America, the Middle East, and Southeast Asia.
The second group, Jackpot Panda, traditionally targets companies that operate or serve the online gambling market in East and Southeast Asia . According to CrowdStrike, it has been active since at least 2020 and prefers to access victim networks through trusted third parties, leveraging compromised affiliate chains to install malicious systems and gain initial access.
Researchers also noted that in one campaign, attackers used a Trojanized installer for CloudChat , a popular messenger in underground Chinese-language gambling communities. The app’s website distributed an installer that initiated a multi-step chain to install a new XShade implant, whose code is linked to the proprietary CplRAT malware used by Jackpot Panda.
Amazon reports that, in addition to React2Shell, the same attackers are simultaneously exploiting other known vulnerabilities, including a bug in NUUO cameras (CVE-2025-1338, CVSS 7.3). This suggests that operators aren’t limiting themselves to a single vulnerability, but are massively scanning the internet for outdated systems, combining multiple CVEs into a single wave of attacks.
According to CJ Moses, Director of Security at Amazon , this is a typical and well-tested system used by advanced teams. They constantly monitor new vulnerability reports, quickly integrate the published exploit into their scanning infrastructure, and launch campaigns on multiple vulnerabilities to maximize the chances of finding vulnerable targets. For owners of React websites and services, this means one thing: if an application uses React Server components and hasn’t yet been updated to the latest versions, it must be urgently patched and further monitored for compromise.
Redazione