Active Exploitation of React2Shell: How Chinese APTs Breached the Supply Chain in 2025
Executive Summary
In December 2025, security researchers identified a critical vulnerability, CVE-2025-55182 (React2Shell), actively exploited in the wild by suspected Chinese threat actors Earth Lamia and Jackpot Panda. The flaw impacts React Server Components in several Meta-maintained packages (versions 19.0 to 19.2.0), allowing attackers to execute arbitrary code on backend servers via unsafe deserialization at API endpoints. First reported by AWS Threat Intelligence on December 4, evidence ties multiple untracked clusters and IP addresses to coordinated supply-chain attacks targeting organizations operating modern web stacks. In successful compromises, attackers gained full backend access, posing serious risks to enterprise data and operations.
This incident underscores the rapid weaponization of supply-chain vulnerabilities and the growing sophistication of state-aligned APTs exploiting core software dependencies. React2Shell highlights the urgent need for rigorous patch management, attack surface monitoring, and proactive defense as critical technologies become frequent entry points for advanced adversaries.
Why This Matters Now
React2Shell is being actively exploited in real-world attacks, enabling adversaries to compromise backend infrastructure at scale. With Chinese APTs targeting enterprise web applications, unpatched systems face elevated risk of data theft, operational disruption, and regulatory exposure. Immediate remediation is essential to prevent widespread supply-chain fallout.
Attack Path Analysis
Chinese threat actors exploited the critical React2Shell (CVE-2025-55182) deserialization vulnerability to gain initial access via crafted HTTP payloads, achieving remote code execution. Following this entry, attackers attempted to elevate privileges through escalation in the compromised environment (likely abusing backend components). With elevated access, they probed for lateral movement opportunities, targeting internal east-west paths and possibly Kubernetes workloads. A command and control channel was established for remote management and persistence, using outbound connections to attacker infrastructure. Data exfiltration likely proceeded via covert outbound flows or direct S3/API transfers. Finally, attackers could deliver impact via system disruption, data tampering, or further supply-chain manipulation.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an unsafe deserialization flaw (CVE-2025-55182, React2Shell) to execute code on vulnerable React Server Component endpoints via crafted HTTP requests.
Related CVEs
CVE-2025-55182
CVSS 10A critical remote code execution vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
Affected Products:
Meta React Server Components – 19.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.x, 16.x, 14.3.0-canary.77 and later canary releases
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Windows Command Shell
Container Administration Command
Abuse Elevation Control Mechanism
Impair Defenses
Exploitation of Remote Services
System Information Discovery
Data Manipulation: Stored Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Custom and Public-Facing Web Applications
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8(2)
CISA Zero Trust Maturity Model 2.0 – Continuous Vulnerability Management
Control ID: Applications: Vulnerability Management
NIS2 Directive – Security of Network and Information Systems—Vulnerability Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical React2Shell vulnerability directly impacts software development organizations using React Server Components, enabling complete backend compromise through supply-chain exploitation.
Financial Services
React2Shell supply-chain attacks threaten financial platforms using vulnerable React versions, risking data exfiltration and regulatory compliance violations under PCI standards.
Information Technology/IT
IT service providers face severe risk from React2Shell vulnerability enabling arbitrary code execution, compromising client systems through compromised web applications.
Health Care / Life Sciences
Healthcare organizations using React-based systems vulnerable to Chinese threat actors exploiting React2Shell, threatening HIPAA compliance and patient data security.
Sources
- Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actorshttps://www.recordedfuture.com/blog/critical-react2shell-vulnerabilityVerified
- Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Componentshttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/Verified
- Security Advisory 2025-041https://cert.europa.eu/publications/security-advisories/2025-041/pdfVerified
- React2Shell RCE flaw exploited by Chinese hackers hours after disclosurehttps://www.techradar.com/pro/security/react2shell-rce-flaw-exploited-by-chinese-hackers-hours-after-disclosureVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network and workload segmentation, robust east-west controls, enforced egress policies, and real-time threat detection would have significantly limited the attacker’s movement after exploit, detected anomalous activity, and blocked data exfiltration. Zero Trust CNSF enforcement mechanisms reduce blast radius and visibility gaps in dynamic cloud-native environments like those affected by React2Shell.
Control: Cloud Firewall (ACF)
Mitigation: Prevents unauthorized internet-originated exploit attempts from reaching critical endpoints.
Control: Zero Trust Segmentation
Mitigation: Limits compromised workloads to only their minimum-authorized backend resources.
Control: East-West Traffic Security
Mitigation: Restricts lateral movement within and across internal cloud regions and services.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound traffic to attacker infrastructure.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Detects and blocks suspicious outbound data transfers, and ensures monitoring of all data in transit.
Rapid detection of anomalous operations and automatic alerting enables swift containment.
Impact at a Glance
Affected Business Functions
- Web Services
- Customer Portals
- Internal Applications
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and internal proprietary information due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and east-west controls to contain post-exploit movement.
- • Enforce strict ingress and egress filtering policies using Cloud Firewall and egress security capabilities.
- • Continuously monitor for anomalies in traffic and behavior leveraging cloud-native threat detection and response.
- • Apply Kubernetes-native segmentations to isolate workloads and restrict pod-to-pod communications.
- • Conduct immediate patching of all exposed React Server Component versions vulnerable to CVE-2025-55182 and conduct posture reviews.
