Amazon detects active attacks by Chinese state hackers on the critical React2Shell vulnerability (CVE-2025-55182). The Earth Lamia and Jackpot Panda groups began exploiting it within hours of its publication on December 3, 2025. The vulnerability affects React 19.x and Next.js 15.x/16.x with App Router.
The vulnerability received the maximum CVSS score of 10.0. It allows attackers to execute code on vulnerable servers remotely, without authentication. Meta discovered the issue in late November and worked on a coordinated fix with cloud providers.
Amazon security researchers warned on December 3 that Chinese cyber threat groups immediately weaponized the vulnerability. The speed with which they operationalized public proof-of-concept exploits is concerning, the company said. China remains the most prolific source of state-sponsored cyberattacks.
Through the AWS MadPot honeypot infrastructure, Amazon identified both known groups and new threat clusters. Earth Lamia targets organizations in Latin America, the Middle East, and Southeast Asia through web application vulnerabilities. Jackpot Panda mainly attacks entities in East and Southeast Asia.
Attribution remains difficult due to shared anonymization infrastructure. Large anonymization networks have become a hallmark of Chinese cyber operations. Multiple hacking groups use these networks simultaneously, making it difficult to attribute activities to individual actors.
A notable example: IP address 183.6.80.214 spent nearly an hour systematically troubleshooting exploitation attempts. In 52 minutes, this actor sent 116 requests and attempted to execute Linux commands. This behavior shows that threat actors are not only running automated scans, but are actively refining their exploitation techniques.
Protection and recommendations
AWS implemented multiple layers of protection via Sonaris Active Defense, AWS WAF managed rules, and perimeter security controls. React Server Components are vulnerable as soon as they support RSC, even without explicit server functions.
Companies using managed AWS services are not affected. Organizations running React or Next.js in their own environments on EC2 or containers should immediately update to the patched versions.
Amazon emphasizes that application-layer vulnerabilities are difficult to detect in full with network telemetry.