Predictably, the exploits are rolling in. Within hours of CVE-2025-55182 disclosure, Chinese APT groups were already hitting targets. And today, valid proof-of-concept exploits started appearing — not useless AI-generated slop, but actual working code. AWS reports exploitation began practically the moment patches went public. While you slept, Chinese threat actors were reverse-engineering. So honeypots started catching China-linked APT activity within hours. And with public PoCs now available (check here, for example), exploitation is opening up to everyone who wants in. The scale isn’t as wild as Log4Shell — no ancient legacy systems baked in for years — but the immediate potential is comparable, especially given how trivial the exploit is. So if you haven’t patched yet, you’ve already lost.
AWS: Exploitation Started Immediately
Amazon Web Services reported that multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda, started exploiting React2Shell almost immediately after the December 3 public disclosure.
“Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups,” AWS’s security team wrote.
This wasn’t automated scanning with random payloads. AWS honeypots caught sophisticated exploitation attempts featuring iterative manual testing, real-time troubleshooting against targeted environments, and progressive payload refinement. The attackers were debugging their exploits live, adjusting attacks based on responses, actively probing for optimal exploitation paths.
Earth Lamia focuses on exploiting web application vulnerabilities, targeting financial services, logistics, retail, IT companies, universities, and government sectors across Latin America, the Middle East, and Southeast Asia. They’re the “find a web exploit, weaponize it fast” specialists.
Jackpot Panda operates primarily in East and Southeast Asia, conducting intelligence collection on corruption and domestic security matters. Less about financial gain, more about long-term strategic intelligence.
AWS also observed activity from unattributed clusters originating from China-based infrastructure. Many attacking groups share the same anonymization infrastructure, complicating individual tracking and specific attribution. That’s intentional — shared infrastructure creates attribution confusion.
Here’s how fast this moved:
- December 3, evening: CVE-2025-55182 publicly disclosed, patches released
- December 3, hours later: Chinese APT groups already exploiting in the wild
- December 4: Reverse engineering of patches underway, exploit development accelerating
- December 5: Valid public PoCs appear on GitHub, exploitation democratizes to anyone interested
From disclosure to weaponized mass-exploitation tools in under 48 hours. This is the modern vulnerability lifecycle.
Real PoCs, Real Problems
Lachlan Davidson, the researcher who discovered React2Shell, warned about fake exploits circulating online. The internet filled with AI-generated garbage claiming to exploit CVE-2025-55182 but actually doing nothing useful (or installing malware on the person trying to use them — poetic justice).
But now, valid exploits confirmed by security researchers like Stephen Fewer from Rapid7 and Joe Desimone from Elastic Security have appeared on GitHub. Public PoCs are available, meaning anyone with basic technical skills can now exploit React2Shell.
The exploitation techniques AWS observed include:
- Repeated attempts with different payloads (testing which variations work)
- Linux command execution:
whoami,id(verifying code execution) - File creation attempts:
/tmp/pwned.txt(leaving proof of compromise) - Reading
/etc/passwd(reconnaissance for privilege escalation)
“This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets,” AWS researchers noted.
Check If You’re Vulnerable
Assetnote released a React2Shell vulnerability scanner on GitHub specifically designed to test if your environment is exploitable. If you’re running React Server Components or Next.js with App Router and haven’t patched yet, run it.
Actually, scratch that. If you haven’t patched yet, just assume you’re vulnerable and exploited. The scanner is useful for verifying your patches worked, not for discovering whether you should patch.
Log4Shell Comparison (And Why It’s Different)
The immediate comparison is Log4Shell (CVE-2021-44228), which caused internet-wide panic in December 2021. React2Shell shares some characteristics:
- Maximum severity (CVSS 10.0)
- Affects widely-used framework
- Trivially exploitable without authentication
- Immediate mass exploitation following disclosure
- APT groups and opportunistic attackers both piling on
But there are critical differences. Log4Shell affected Java logging library embedded in thousands of applications, including ancient enterprise systems that wouldn’t get patched for years (or ever). It was baked into hardware firmware, network appliances, industrial control systems — anything running Java could be vulnerable.
React2Shell affects modern web applications, primarily those using React Server Components (a relatively new feature). No embedded systems. No firmware. No decade-old enterprise Java applications still running on forgotten servers in some closet. The vulnerable infrastructure is actively maintained web applications that can be patched relatively quickly.
So the scale isn’t as catastrophic as Log4Shell. But the immediate potential is comparable. React powers a massive chunk of the modern web. Next.js dominates React-based frameworks. And exploitation is absurdly simple — craft malicious HTTP POST request, send to Server Function endpoint, get remote code execution.
What “Simple Exploitation” Actually Means
When security researchers say an exploit is “simple” or “trivial,” non-technical folks often miss what that means. Here’s the React2Shell exploitation process:
- Identify target running Next.js or React Server Components (often visible in HTTP responses)
- Send crafted HTTP POST request to Server Function endpoint
- React deserializes your malicious payload without validation
- Your code executes on the server with Node.js process privileges
No authentication bypass needed. No complex exploitation chain. No race conditions or memory corruption. Just send HTTP request, get shell. That’s what “simple” means, and why mass exploitation happens so fast.
The Patch Race You’re Losing
If you’re running affected versions and haven’t patched yet, here’s your current situation:
- Chinese APT groups have been exploiting this for over 48 hours
- Public PoCs are available to anyone
- Automated scanning is already underway
- Your vulnerable servers are probably already being probed
- Every hour you delay increases compromise probability
The window for “patch before exploitation” closed within hours of disclosure. You’re now in “patch to stop ongoing exploitation” territory.
For React Server Components, update to versions 19.0.1, 19.1.2, or 19.2.1. For Next.js, update to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5. If you’re running older versions, upgrade to a patched release.
If patching requires change approval processes that take days or weeks, deploy WAF rules immediately as a stopgap. Cloudflare, AWS, Akamai, Fastly, and Google Cloud all have React2Shell protections available.
The Reverse Engineering Race
Here’s how modern vulnerability exploitation works: patches get released, attackers immediately diff the patched code against vulnerable versions, identify exactly what changed, reverse-engineer the vulnerability from the fix, develop exploits, start attacking.
This process used to take weeks. Now it takes hours. APT groups with resources and skilled reverse engineers can weaponize patches faster than most organizations can deploy them.
AWS observed this playing out in real time with React2Shell. Patches released December 3 evening. Exploitation began hours later. By December 5, public PoCs available. The defensive window is measured in hours, not days.
Why APT Groups Move Fast
State-nexus threat groups like Earth Lamia and Jackpot Panda have specific advantages in these situations. They operate dedicated reverse engineering teams capable of analyzing patches immediately upon release, and they often have target lists ready, knowing exactly which organizations run React/Next.js. With exploitation infrastructure already prepared, they can simply plug in the new exploit and launch.
Unlike opportunistic attackers hoping to make quick money, these groups have no need to monetize immediately. They’re collecting intelligence, not running ransomware, so stealth matters more than speed. They are intelligence operations with resources, planning, and long-term objectives. A critical RCE in a widely-used framework is an intelligence goldmine — get in before everyone patches, establish persistence, collect data for months or years.
Exploitation will continue escalating. More PoCs will appear. Automated exploitation tools will integrate React2Shell. Ransomware groups will start using it. Opportunistic attackers will scan the internet for vulnerable endpoints.
The attack volume will peak within a week or two, then gradually decline as the internet patches. But some percentage of vulnerable systems will never get patched — abandoned projects, forgotten staging servers, organizations that don’t track dependencies, companies that don’t monitor security advisories.
Those systems will remain exploitable indefinitely, providing persistent attack surface for anyone who wants in.
React2Shell went from disclosure to active APT exploitation to public PoCs in under 48 hours. If you’re running React Server Components or Next.js and haven’t patched, you’re not in the “might get exploited” category. You’re in the “probably already compromised” category.
