Two Chinese state-affiliated hacking groups, Earth Lamia and Jackpot Panda, have been observed actively exploiting a newly disclosed, critical vulnerability in React Server Components (RSC) within hours of its public release. This zero-day exploitation marks a swift and aggressive response from threat actors to weaponize the maximum-severity flaw, identified as CVE-2025-55182, also known as React2Shell.
The vulnerability, which carries a CVSS score of 10.0, allows for unauthenticated remote code execution. React versions 19.0.1, 19.1.2, and 19.2.1 have been patched to address this critical security gap. Amazon Web Services (AWS) reported these exploitation attempts were detected within their MadPot honeypot infrastructure, indicating a coordinated effort to leverage the weakness.
Swift Exploitation of React Server Components Vulnerability
The rapid weaponization of CVE-2025-55182 highlights the constant threat posed by sophisticated cyber Espionage actors. According to a report by Amazon Integrated Security CISO CJ Moses, exploitation activity originating from IP addresses and infrastructure historically linked to China-nexus threat actors was identified. This immediate response underscores the preparedness of these groups to capitalize on newly discovered vulnerabilities.
AWS specifically identified infrastructure associated with Earth Lamia, a group previously linked to attacks exploiting a critical SAP NetWeaver flaw earlier this year. Earth Lamia has a broad attack profile, targeting sectors including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. Their targeting suggests a wide-ranging interest in disrupting and collecting intelligence from diverse entities.
Simultaneously, exploitation attempts were also traced to infrastructure linked to Jackpot Panda, another China-nexus cyber threat actor. Jackpot Panda has primarily focused on entities involved in or supporting online gambling operations, particularly in East and Southeast Asia. This specific targeting indicates a strategic interest in the lucrative online gambling market and its associated financial flows.
Understanding Jackpot Panda’s Tactics
Jackpot Panda has been active since at least 2020, according to analysis by CrowdStrike. The group is known for targeting trusted third-party relationships as a pathway to deploy malicious implants and gain initial access. A notable incident involved the supply chain compromise of a chat application, Comm100, in September 2022, an activity tracked by ESET as Operation ChattyGoblin. Recent reports suggest that a Chinese hacking contractor, I-Soon, may have been involved in this supply chain attack due to overlapping infrastructure.
Interestingly, Jackpot Panda’s operations in 2023 have shown a discernible shift towards targeting Chinese-speaking victims, potentially indicating a focus on domestic surveillance or information gathering within China. This evolution in their targeting strategy requires continuous monitoring.
CrowdStrike detailed how the group employed a trojanized installer for CloudChat, a popular Chinese chat application used by illegal gambling communities. This installer initiated a multi-step process culminating in the deployment of XShade, a novel implant exhibiting code overlaps with Jackpot Panda’s unique CplRAT implant. Such sophisticated supply chain attacks demonstrate the long-term planning and execution capabilities of these threat actors.
Broader Exploitation and Future Implications
Amazon’s analysis also revealed that threat actors are exploiting CVE-2025-55182 in conjunction with other publicly known vulnerabilities, referred to as N-day flaws. These include a vulnerability in NUUO Camera (CVE-2025-1338), suggesting a broad scanning effort across the internet to identify and exploit any unpatched systems. This dual approach allows attackers to maximize their chances of compromising vulnerable environments.
The observed activity includes attempts to execute discovery commands, such as “whoami,” write files to temporary directories like “/tmp/pwned.txt,” and extract sensitive information by reading files such as “/etc/passwd.” These actions are typical reconnaissance steps employed by attackers to map out compromised systems and identify valuable data.
“This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets,” Moses stated. This proactive and widespread exploitation strategy poses a significant challenge for organizations trying to secure their networks.
Looking ahead, the immediate priority for organizations using React Server Components will be to apply the available patches for versions 19.0.1, 19.1.2, and 19.2.1. Continuous monitoring of network traffic for indicators of compromise related to CVE-2025-55182 and similar vulnerabilities will be crucial. Security teams should also remain vigilant for further activity from Earth Lamia and Jackpot Panda, as their exploitation patterns evolve.