​Recent reports from Google’s threat intelligence team have uncovered a concerning trend of Chinese hacking groups exploiting the React2Shell vulnerability. This flaw, officially known as CVE-2025-55182, poses a significant risk to React and Next.js applications, allowing malicious actors to execute arbitrary code with a single HTTP request.

The vulnerability primarily affects React versions 19.0 to 19.2.0, leaving numerous systems vulnerable to exploitation. Following the disclosure of the flaw, Palo Alto Networks reported multiple breaches, with Chinese state-backed threat actors using the exploit to steal sensitive information, including AWS configuration files and credentials.

Amazon Web Services (AWS) has issued warnings about threat actors such as Earth Lamia and Jackpot Panda taking advantage of the React2Shell vulnerability shortly after its disclosure. This has sparked concerns about the increasing sophistication of Chinese cyber-espionage groups.

Chinese Hacking Groups Expanding Attacks

Google’s Threat Intelligence Group (GTIG) has identified five additional Chinese cyber-espionage groups involved in the ongoing React2Shell attacks. These groups, including UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, have been leveraging various tools and tactics to exploit the vulnerability.

According to GTIG researchers, the use of React Server Components (RSC) in popular frameworks like Next.js has amplified the risk posed by CVE-2025-55182. The underground forums have been abuzz with discussions about the vulnerability, with threat actors sharing scanning tools, proof-of-concept code, and their experiences.

Aside from Chinese hackers, Iranian threat actors and financially motivated attackers have also been observed targeting the React2Shell vulnerability. The Shadowserver Internet watchdog group has identified over 116,000 vulnerable IP addresses, with a significant number located in the United States.

GreyNoise has reported over 670 IP addresses attempting to exploit the React2Shell vulnerability, with a notable concentration in the United States, India, and several European countries. Cloudflare recently linked a global website outage to emergency measures taken to address the React2Shell vulnerability.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide