A critical security flaw in React Server Components (RSC), identified as CVE-2025-55182 and rated with a CVSS score of 10.0, has quickly drawn the attention of cybercriminals, specifically two hacking groups linked to China. The vulnerability, which permits unauthenticated remote code execution, was disclosed recently and has already been exploited by threat actors aimed at targeting various sectors.
According to a recent report by Amazon Web Services (AWS), the groups—referred to as Earth Lamia and Jackpot Panda—have been observed exploiting this severe security flaw shortly after its public revelation. CJ Moses, Chief Information Security Officer at AWS, stated that their analysis of activity within the AWS MadPot honeypot infrastructure revealed attempts to exploit the flaw from IPs historically associated with known China-related threat actors.
Earth Lamia is notable for previous successful exploits, including a critical flaw in SAP NetWeaver earlier this year. This group has targeted a wide array of sectors, including financial services, logistics, retail, information technology, academia, and governmental organizations across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda, another identified cyber threat actor, primarily focuses on entities tied to online gambling operations within East and Southeast Asia. Active since at least 2020, Jackpot Panda has been known to infiltrate trusted third-party relationships to deploy malicious implants and gain initial system access. A significant connection was made to this group in 2022, concerning a supply chain compromise related to the chat application Comm100. The group has also targeted Chinese-speaking victims, leading experts to suggest possible domestic surveillance efforts within China.
AWS’s report indicates that both Earth Lamia and Jackpot Panda are not merely exploiting the recent vulnerability in isolation. They also appear to be leveraging other known vulnerabilities, including CVE-2025-1338 in NUUO Camera, with a CVSS score of 7.3. Such activity suggests a systematic method of operation where threat actors vigilantly monitor new vulnerability disclosures and swiftly integrate public exploits into their scanning infrastructure. This approach significantly enhances their potential to locate vulnerable targets.
As these cybersecurity threats loom, Cloudflare experienced a brief but widespread outage attributed to the implementation of a patch addressing the React2Shell vulnerability. The web infrastructure provider confirmed that the outage, which resulted in numerous websites and online platforms displaying a “500 Internal Server Error,” was not the result of an attack but rather due to changes made on how their Web Application Firewall handles requests.
The urgency surrounding the React Server Components vulnerability has heightened awareness across the tech industry, emphasizing the need for immediate upgrades to the latest React versions—19.0.1, 19.1.2, and 19.2.1—to mitigate potential risks posed by these cyber threat actors.
