The React2Shell vulnerability (CVE-2025-55182) is a critical security flaw in React Server Components (RSC) that allows unauthenticated remote code execution (RCE). This vulnerability has a CVSS score of 10.0, indicating maximum severity. It affects React versions prior to 19.0.1, 19.1.2, and 19.2.1, which have addressed the issue. The flaw enables attackers to execute arbitrary commands on vulnerable servers without any authentication, posing a severe risk to confidentiality, integrity, and availability. Within hours of public disclosure, two China-linked advanced persistent threat (APT) groups, Earth Lamia and Jackpot Panda, began exploiting this vulnerability. Earth Lamia has a history of targeting financial services, logistics, retail, IT companies, universities, and government entities across Latin America, the Middle East, and Southeast Asia. Jackpot Panda primarily targets online gambling-related entities in East and Southeast Asia and has been linked to supply chain compromises and trojanized installers. The exploitation attempts observed include running system discovery commands (e.g., whoami), writing files to the filesystem (e.g., /tmp/pwned.txt), and reading sensitive files (e.g., /etc/passwd), indicating attempts to establish persistence and gather intelligence. Amazon Web Services (AWS) detected these activities through their MadPot honeypot infrastructure, linking the IPs and infrastructure to these known threat actors. The attackers are conducting broad scanning campaigns that combine React2Shell with other N-day vulnerabilities, such as a NUUO Camera flaw (CVE-2025-1338), to increase their chances of finding vulnerable systems. The rapid weaponization and active exploitation attempts underscore the criticality of this vulnerability. Additionally, Cloudflare experienced a brief outage due to changes in their Web Application Firewall aimed at mitigating this vulnerability, highlighting the widespread impact on infrastructure providers. The threat actors’ systematic approach to integrating new exploits quickly into their scanning infrastructure demonstrates a high level of operational sophistication and intent to compromise vulnerable systems at scale.

European organizations using vulnerable React Server Components are at high risk of severe compromise due to this vulnerability. Successful exploitation can lead to full remote code execution without authentication, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, and disrupt services. Critical sectors such as financial services, government, IT, logistics, and academia could face data breaches, operational outages, and reputational damage. The broad scanning campaigns increase the likelihood of widespread compromise, potentially affecting supply chains and third-party service providers. Given the involvement of state-linked Chinese threat actors, there is an elevated risk of espionage, intellectual property theft, and targeted attacks against strategic European assets. The exploitation of this vulnerability could also facilitate lateral movement within networks, enabling attackers to escalate privileges and compromise additional systems. The Cloudflare outage incident illustrates the potential for collateral impact on internet infrastructure and cloud services relied upon by European enterprises. Overall, the threat poses a critical risk to confidentiality, integrity, and availability of affected systems across Europe.

1. Immediately update all React Server Components to the patched versions 19.0.1, 19.1.2, or 19.2.1 to remediate the React2Shell vulnerability. 2. Conduct comprehensive asset inventories to identify all instances of React Server Components in use, including in third-party and supply chain software. 3. Deploy network-level intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts, such as unusual command executions or file writes (e.g., attempts to create /tmp/pwned.txt). 4. Restrict external exposure of React Server Components by implementing network segmentation and firewall rules limiting access to trusted sources only. 5. Monitor logs for suspicious activities, including execution of discovery commands (e.g., whoami) and access to sensitive files (/etc/passwd). 6. Implement application-layer protections such as Web Application Firewalls (WAFs) configured to detect and block exploit payloads targeting this vulnerability. 7. Conduct threat hunting exercises focusing on indicators of compromise related to Earth Lamia and Jackpot Panda tactics, techniques, and procedures (TTPs). 8. Review and strengthen supply chain security controls to mitigate risks from trojanized installers or compromised third-party components. 9. Educate development and operations teams about the vulnerability and the importance of timely patching and secure coding practices. 10. Collaborate with cybersecurity information sharing organizations to stay updated on emerging exploitation trends and indicators.