"Amazon detects active attacks by Chinese state hackers on the critical React2Shell vulnerability (CVE-2025-55182). The Earth Lamia and Jackpot Panda groups began exploiting it within hours of its publication on December 3, 2025. The vulnerability affects React 19.x and Next.js 15.x/16.x with App Router. The vulnerability received the maximum CVSS score of 10.0. It allows attackers to execute code on vulnerable servers remotely, without authentication."
"Amazon security researchers warned on December 3 that Chinese cyber threat groups immediately weaponized the vulnerability. The speed with which they operationalized public proof-of-concept exploits is concerning, the company said. China remains the most prolific source of state-sponsored cyberattacks. Through the AWS MadPot honeypot infrastructure, Amazon identified both known groups and new threat clusters. Earth Lamia targets organizations in Latin America, the Middle East, and Southeast Asia through web application vulnerabilities. Jackpot Panda mainly attacks entities in East and Southeast Asia."
"Attribution remains difficult due to shared anonymization infrastructure. Large anonymization networks have become a hallmark of Chinese cyber operations. Multiple hacking groups use these networks simultaneously, making it difficult to attribute activities to individual actors. A notable example: IP address 183.6.80.214 spent nearly an hour systematically troubleshooting exploitation attempts. In 52 minutes, this actor sent 116 requests and attempted to execute Linux commands. This behavior shows that threat actors are not only running automated scans, but are actively refining their exploitation techniques."
React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability carrying a CVSS score of 10.0 that impacts React 19.x and Next.js 15.x/16.x with App Router. Exploitation began within hours of public disclosure on December 3, 2025, with Earth Lamia and Jackpot Panda observed leveraging public proof-of-concept exploits. Meta discovered the issue in late November and coordinated fixes with cloud providers. AWS MadPot honeypots identified both known groups and new clusters. Shared anonymization infrastructure complicates attribution. An observed actor at IP 183.6.80.214 sent 116 requests over 52 minutes while troubleshooting exploitation. AWS deployed Sonaris Active Defense, WAF managed rules, and perimeter controls.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]