China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Dec. 5, 2025, 6:28 p.m.

Description

Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router.

External References

https://otx.alienvault.com/pulse/69331d05a7d525a2c1cf508c
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
Tags
exploit
china-nexus
CVE-2025-1338
next.js
earth lamia
CVE-2025-55182
2025-12-05
jackpot panda
state sponsored
react2shell
react server
app router

Date

  • Created: Dec. 5, 2025, 5:57 p.m.
  • Published: Dec. 5, 2025, 5:57 p.m.
  • Modified: Dec. 5, 2025, 6:28 p.m.

Indicators

  • 45.77.33.136
  • 206.237.3.150
  • 183.6.80.214
  • 143.198.92.82
Download all indicators here!

Attack Patterns

  • China-nexus

Additional Informations

  • Retail
  • Technology
  • Transportation
  • Education
  • Finance
  • Government

Linked vulnerabilities

CVE-2025-1338

7.3
    NUUO Camera
Published: February 16, 2025

CVE-2025-55182

10.0
    Facebook
  • React Server Components
  • React Server Dom Parcel
  • React Server Dom Turbopack
  • React Server Dom Webpack
Published: December 3, 2025