A new round of activity tied to China-based operators began almost immediately after details of CVE-2025-55182 were released. The flaw, now nicknamed React2Shell, affects React Server Components and grants remote code execution without authentication. With a perfect CVSS score of 10.0, the weakness attracted interest from multiple actors within hours, according to new reporting from Amazon Web Services.
Patches and Early Exploitation Attempts
Patches landed in React versions 19.0.1, 19.1.2, and 19.2.1. Even with fixes available, attempts to exploit unpatched systems appeared nearly in real time across AWS MadPot honeypots. CJ Moses, CISO of Amazon Integrated Security, noted that the traffic matched long-running Chinese state-linked infrastructure and patterns that analysts have tracked for several years.
Earth Lamia’s Activity
One cluster of attempts came from sources tied to Earth Lamia, the same group responsible for exploiting SAP NetWeaver (CVE-2025-31324) earlier this year. Earth Lamia has shown wide geographic reach, hitting organizations across financial services, logistics, retail, higher education, government entities, and general IT across Latin America, the Middle East, and Southeast Asia. Their behavior around React2Shell fits with that pattern: broad reconnaissance, automated probing, and a desire to reach new entry points before defenders finish patching.
Jackpot Panda’s Parallel Interest
A second wave matched indicators linked to Jackpot Panda. This actor has a long-running focus on gambling-adjacent operations in East and Southeast Asia, and is known for supply chain compromises, including the Comm100 incident in 2022. Research from CrowdStrike and ESET has tied Jackpot Panda to a series of campaigns that rely on manipulated installers, staged implants, and credential theft. More recent work suggests that I-Soon, a Chinese contractor, may have supported portions of those operations due to infrastructure overlap.
By 2023, Jackpot Panda had shifted attention inward, aiming at Chinese-speaking users through trojanized CloudChat installers. Those installers set up a multi-stage chain that delivered an implant named XShade, which analysts say overlaps with the group’s earlier CplRAT tooling. Their presence in the early React2Shell exploitation window signals how quickly established operators adjust playbooks once a fresh entry point appears.
What Early Probing Looked Like
AWS observed attackers testing basic shell commands, creating or modifying files such as /tmp/pwned.txt, and attempting to read /etc/passwd. This pattern reflects the early phase of an opportunistic campaign—simple checks to confirm that the target is vulnerable, followed by a gradual shift into more tailored post-exploitation activity. The same scanners also attempted to weaponize N-day issues such as the NUUO Camera flaw (CVE-2025-1338), which points to a broad sweep rather than a single-purpose operation.
Moses described the workflow as a routine cycle for these groups: watch vulnerability disclosures closely, grab public exploit code as soon as it appears, and feed it into sweeping infrastructure that tests multiple CVEs at once. Whoever falls behind on patching becomes the easiest target.
Cloudflare’s Brief Outage
At the same time, the broader ecosystem felt the ripple effect of the disclosure. Cloudflare experienced a short but very visible service interruption that produced waves of 500 errors across major sites. The company later clarified that the problem came from an internal change to its Web Application Firewall. The update was intended to expand protection for the new React2Shell issue. A parsing error caused the outage, not any attempt by threat actors to hit Cloudflare’s systems.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.
Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.
Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.
Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
