A number of China-linked menace actors started exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Subsequent.js simply hours after the max-severity subject was disclosed.
React2Shell is an insecure deserialization vulnerability within the React Server Elements (RSC) ‘Flight’ protocol. Exploiting it doesn’t require authentication and permits distant execution of JavaScript code within the server’s context.
For the Subsequent.js framework, there’s the identifier CVE-2025-66478, however the monitoring quantity was rejected within the Nationwide Vulnerability Database’s CVE record as a reproduction of CVE-2025-55182.
The security subject is straightforward to leverage, and several other proof-of-concept (PoC) exploits have already been revealed, growing the chance of associated menace exercise.
The vulnerability spans a number of variations of the broadly used library, doubtlessly exposing hundreds of dependent initiatives. Wiz researchers say that 39% of the cloud environments they will observe are vulnerable to React2Shell assaults.
React and Subsequent.js have launched security updates, however the subject is trivially exploitable with out authentication and within the default configuration.
React2Shell assaults underway
A report from Amazon Internet Companies (AWS) warns that the Earth Lamia and Jackpot Panda menace actors linked to China began to use React2Shell virtually instantly after the general public disclosure.
“Inside hours of the general public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon menace intelligence groups noticed lively exploitation makes an attempt by a number of China state-nexus menace teams, together with Earth Lamia and Jackpot Panda,” reads the AWS report.
AWS’s honeypots additionally caught exercise not attributed to any recognized clusters, however which nonetheless originates from China-based infrastructure.
Most of the attacking clusters share the identical anonymization infrastructure, which additional complicates individualized monitoring and particular attribution.
Relating to the 2 recognized menace teams, Earth Lamia focuses on exploiting internet utility vulnerabilities.
Typical targets embody entities within the monetary companies, logistics, retail, IT firms, universities, and authorities sectors throughout Latin America, the Center East, and Southeast Asia.
Jackpot Panda targets are normally positioned in East and Southeast Asia, and its assaults are geared toward amassing intelligence on corruption and home security.
PoCs now out there
Lachlan Davidson, the researcher who found and reported React2Shell, warned about faux exploits circulating on-line. Nonetheless, exploits confirmed as legitimate by Rapid7 researcher Stephen Fewer and Elastic Safety’s Joe Desimone have appeared on GitHub.
The assaults that AWS noticed leverage a mixture of public exploits, together with damaged ones, together with iterative handbook testing and real-time troubleshooting towards focused environments.
The noticed exercise contains repeated makes an attempt with completely different payloads, Linux command execution (whoami, id), makes an attempt to create recordsdata (/tmp/pwned.txt), and makes an attempt to learn ‘/and so on/passwd/.’
“This conduct demonstrates that menace actors aren’t simply working automated scans, however are actively debugging and refining their exploitation strategies towards dwell targets,” remark AWS researchers.
Attack floor administration (ASM) platform Assetnote has launched a React2Shell scanner on GitHub that can be utilized to find out if an setting is susceptible to React2Shell.
Damaged IAM is not simply an IT downside – the influence ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM seems to be like, and a easy guidelines for constructing a scalable technique.
