Just hours after a maximum severity vulnerability in React2Shell was disclosed on December 3, Amazon threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda and other China state-nexus threat groups.  

The critical vulnerability affecting React versions 19.x and Next.js versions 15.x and 16.x when App Router is in use has a Common Vulnerability Scoring System (CVSS) score of 10.0. T 

“React2Shell (CVE-2025-55182) represents a critical web supply-chain vulnerability: an easily exploitable, unauthenticated Remote Code Execution (RCE) in React Server Components (RSC),” says Noelle Murata, Sr. Security Engineer at Xcape, Inc. 

Through the flaw, attackers can “compromise applications with default configurations, and we’ve already witnessed in-the-wild exploitation within hours of its disclosure,” Murata says. 

Though the bug doesn’t affect AWS services, the researchers felt it was important to share the threat intelligence that could help their customers. 

Noting that China “continues to be the most prolific source of state-sponsored cyberthreat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure,” the researchers said through monitoring in the AWS MadPot honeypot infrastructure, “Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182” and “has deployed multiple layers of automated protection through Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet version 1.24 or higher), and perimeter security controls.” 

But, they warn, the protections are substitutes for patching. 

“Given the widespread exposure in cloud environments, immediate patching and compromise hunting are crucial, especially for organizations utilizing React 19 or Next.js RSC features externally,” says Murata. “The rapid weaponization of this vulnerability, which affects a core component of modern web development, necessitates that security teams prioritize the patch above all else.” 

Both React and Next.js have released security updates; however, the flaw is exploitable without authentication and remains vulnerable in the default configuration. 

To mitigate the vulnerability, Cloudflare forced a widespread outage , causing websites and online platforms worldwide to go down and sending back a “500 Internal Server Error” message. 

“This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare said.  

That Cloudflare took down “a chunk of the internet to emergency-patch React Server Components tells you everything about the severity calculus here,” says Michael Bell, founder and CEO at Suzu Labs.  

When the risk of exploitation outweighs the risk of a self-inflicted outage, you patch. Every organization running React 19.x or Next.js 15.x/16.x with App Router should be asking themselves: if Cloudflare couldn’t wait until a maintenance window, why can you?” he says. 

AWS said its analysis of exploitation attempts in AWS MadPot honeypot infrastructure found the exploitation attempts were coming from IP addresses and infrastructure that have been historically linked to Chinese state-nexus threat actors, though the researchers can’t offer attribution since Chinese threat groups use a shared anonymization infrastructure. Earth Lamia typically exploits web application vulnerabilities in an attempt to target organizations in Latin America, the Middle East and Southeast Asia. Its targets are typically financial services, logistics, retail, IT companies, universities, and government organizations, AWS researchers said. 

They also believe that the exploitation indicates infrastructure associated with Jackpot Panda, threat actor whose targets are typically in East and Southeast entities in East and Southeast Asia. “The activity likely aligns to collection priorities pertaining to domestic security and corruption concerns,” AWS researchers said. 

The speed at which attackers act is alarming, but it is becoming de riguerer. “Hours from disclosure to active exploitation by nation-state actors is the new normal, and it’s only going to accelerate,” says Bell. 

“China-nexus groups like Earth Lamia and Jackpot Panda have industrialized their vulnerability response: they monitor disclosures, grab public PoCs (even broken ones), and spray them at scale before most organizations have finished reading the advisory,” he says.  

Bell points to AWS’s report of attackers “debugging exploits in real-time against honeypots demonstrates this isn’t automated scanning; it’s hands-on keyboard operators racing to establish persistence before patches roll out.” 

As AI tools increasingly become “capable of parsing vulnerability disclosures and generating exploit code,” Bell expects “the window between disclosure and weaponization to shrink from hours to minutes.”