Amazon and Wiz threat intelligence teams report that China-nexus threat groups (tracked as “Earth Lamia” and “Jackpot Panda”) have rapidly scaled their exploitation of the critical “React2Shell” vulnerability (CVE-2025-55182). Attackers are actively scanning for and compromising unpatched Next.js and React applications to establish persistent footholds.
Business Impact
The speed of weaponization—within hours of disclosure—demonstrates the high value of this vulnerability to espionage groups. Unpatched web servers are being converted into operational nodes for further attacks, data exfiltration, or lateral movement within cloud environments.
Why It Happened
The vulnerability allows for unauthenticated remote code execution via the React Flight protocol. State actors are prioritizing it because it bypasses standard authentication layers on widely used, public-facing web infrastructure.
Recommended Executive Action
This remains the top priority. Ensure your engineering teams have updated React to version 19.0.1+ and Next.js to the latest safe versions. If patching is delayed, deploy specific WAF rules to block malicious “React Flight” payloads immediately.
Hashtags: #React2Shell #China #APT #Vulnerability #RCE #CloudSecurity #PatchNow #InfoSec