Within hours of the vulnerability's disclosure, two hacking groups associated with China have begun exploiting a critical security flaw in React Server Components. Known as CVE-2025-55182, or React2Shell, this vulnerability has a maximum severity score of 10.0 on the CVSS scale and permits unauthenticated remote code execution.
According to a report from Amazon Web Services (AWS), the groups identified as Earth Lamia and Jackpot Panda have been linked to these exploitation attempts. Earth Lamia has a history of attacks, including exploiting a significant flaw in SAP NetWeaver earlier this year. Their targets have spanned across various sectors, including financial services, logistics, and government organizations in regions like Latin America, the Middle East, and Southeast Asia.
Jackpot Panda, active since at least 2020, has concentrated its efforts on entities involved in online gambling in East and Southeast Asia. This group has previously been involved in the supply chain compromise of a chat application named Comm100 in September 2022. Notably, a Chinese hacking contractor, I-Soon, has been implicated in this supply chain breach due to overlapping infrastructure.
The ongoing attacks in 2023 appear to be targeting primarily Chinese-speaking victims, hinting at possible domestic surveillance activities by the threat actors.