Just days after the disclosure of the React2Shell critical vulnerability, tracked as CVE-2025-55182, threat actors are actively exploiting the flaw in the wild.
The vulnerability carries a CVSS v3.1 score of 10, the highest possible severity rating.
Amazon Web Services (AWS) has confirmed that threat groups including Earth Lamia and Jackpot Panda, both linked to Chinese state interests, are among those launching exploitation attempts.
Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East and Southeast Asia.
The group has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations.
Jackpot Panda is primarily targets entities in East and Southeast Asia.
Over Two Million Instances Potentially Affected by React2Shell
Several functional proof-of-concept (PoC) exploits now exist for CVE-2025-55182.
The rapid weaponization of PoCs underscores the fact that sophisticated threat actors waste no time turning vulnerabilities into operational exploits.
Meanwhile, the Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications.
Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability. This includes exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router and RedwoodSDK.
The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3.
Any internet‑accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution, security researchers have warned.
Alongside the impact from potential malicious exploitation, remediation of the flaw could also have adverse consequences. For instance, on December 5, 2025, significant failures affecting Cloudflare’s network occurred. The internet network provider has since confirmed that the incident was triggered by changes being made to body parsing logic while attempting to detect and mitigate the React2Shell vulnerability.
PoCs Not All Created Equally
The AWS investigation pointed out that threat actors use both automated scanning tools and individual PoC exploits.
Some of these malicious actors are monitoring for new CVE disclosures and rapidly integrate public exploits into their scanning infrastructure.
However, AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios.
Earlier, security firm JFrog also warned that there are fake PoCs available on GitHub and noted that some of these types of projects often contain malicious code themselves.
Many of the public PoCs contain technical inaccuracies, according to AWS. However, threat actors are still attempting to use them.
AWS said the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool.
Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional.
The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns.
Finally, AWS note that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks.
The invalid PoCs can give developers a false sense of security when testing for React2Shell.
In a repository dedicated to React2Shell, Lachlan Davidson, the security researcher who discovered the vulnerability, wrote: “Many of these ‘PoCs’ have been referenced in publications, and even some vulnerability aggregators. We are concerned that these may lead to false negatives when evaluating if a service is vulnerable, or lead to unpreparedness if or when a genuine PoC surfaces.”
