Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, security researchers observed active exploitation attempts from several China-nexus cyber threat groups, including Earth Lamia and Jackpot Panda. This critical unauthenticated remote code execution vulnerability affects React Server Components in React 19.x and Next.js 15.x and 16.x when the App Router is enabled. While managed cloud services are not impacted, this information is being shared to help organizations running React or Next.js in their own environments take immediate action. The rapid surge in exploitation attempts reflects a consistent pattern in which China-linked threat actors quickly weaponize newly disclosed public vulnerabilities.
Background on the Threat Groups
Earth Lamia
Earth Lamia is a China-nexus threat actor heavily involved in exploiting web application vulnerabilities. Historical targeting includes:
- Financial services
- Logistics
- Retail
- IT organizations
- Universities
- Government sectors
The group is known for broad regional targeting across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda
Jackpot Panda primarily targets entities across East and Southeast Asia, aligned with domestic security and corruption-related intelligence priorities. The group often leverages newly disclosed internet-facing vulnerabilities in its campaigns.
Vulnerability Details:
- CVE-ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- EPSS Score: 27.19%
- Vulnerability: Remote Code Execution (RCE) vulnerability
- Affected Product: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and Next.js versions 15.x, 16.x, 14.3.0-canary.77 and later canary releases when using App Router.
Infection Method / Exploitation Technique
1. Immediate Operationalization
Within hours of disclosure, threat actors:
- Integrated public PoCs into scanning infrastructure
- Launched broad, automated exploitation campaigns
- Used multiple PoCs (including non-functional ones) to maximize hit rates
2. Automated and Manual Exploitation Attempts
Threat groups used:
- Automated scanners with user-agent randomization
- Individual PoC payloads
- Concurrent exploitation of other N-days (e.g., CVE-2025-1338)
3. Low-Quality PoCs Still Used Widely
Many public PoCs:
- Register dangerous modules like
fs,child_process, orvmin the RSC manifest (not used in real apps) - Would remain vulnerable even after patching
- Misunderstand RSC internals
Still, attackers rely on them because of:
- Speed over accuracy
- Volume over reliability
- Low barrier to entry
- Noise generation to obscure real attempts
4. Persistent, Manual Debugging Attempts
Notable example from the AWS MadPot honeypot:
- IP 183[.]6.80.214 conducted 116 requests over 52 minutes
- Systematically tested payloads
- Attempted:
- Reconnaissance commands (
whoami,id) - Reading
/etc/passwd - Writing
/tmp/pwned.txt
- Reconnaissance commands (
- Demonstrated live troubleshooting and adjustment of payloads
Impact
If exploited, React2Shell allows attackers to:
- Execute arbitrary commands remotely
- Read sensitive files (
/etc/passwd) - Write arbitrary files (e.g., /tmp/pwned.txt)
- Gain full control over vulnerable applications
- Pivot further into the hosting environment
Visual Flow
Public Disclosure of CVE-2025-55182 -> China-Nexus Groups Rapidly Integrate Public PoCs (Earth Lamia, Jackpot Panda, Shared Anonymization Infrastructure, Unattributed Clusters) -> Automated Scanning and Early Exploitation Attempts (User-agent randomization, repeated payload testing) -> Manual Debugging and Refinement of Exploit Attempts (Long-duration testing, whoami/id execution, file write attempts, reading /etc/passwd) -> Integration into Broader Multi-CVE Campaigns (Simultaneous attempts against other N-days such as CVE-2025-1338) -> Potential Target Compromise if Application Remains Unpatched
(Remote code execution, unauthorized actions, persistence attempts)
Indicators of Compromise (IOCs)
Network indicators
- HTTP POST requests to application endpoints with
next-actionorrsc-action-idheaders - Request bodies containing
$@patterns - Request bodies containing
"status":"resolved_model"patterns
Host-based indicators
- Unexpected execution of reconnaissance commands (
whoami,id,uname) - Attempts to read
/etc/passwd - Suspicious file writes to
/tmp/ directory(for example,pwned.txt) - New processes spawned by Node.js/React application processes
Threat actor infrastructure
| IP Address | Date | Attribution |
|---|---|---|
| 206[.]237.3.150 | 2025-12-04 | Earth Lamia |
| 45[.]77.33.136 | 2025-12-04 | Jackpot Panda |
| 143[.]198.92.82 | 2025-12-04 | Anonymization network |
| 183[.]6.80.214 | 2025-12-04 | Unattributed threat cluster |
Mitigation Steps
- Systems running React 19.x with Server Functions and React Server Components should be updated to the patched versions 19.0.1, 19.1.2, or 19.2.1.
- Systems running Next.js 15 or 16 with the App Router should be updated to a patched version.
- Review application and web server logs for suspicious activity.
- Look for POST requests with
next-actionorrsc-action-idheaders. - Check for unexpected process execution or file modifications on application servers.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.