Article Details

Beijing-linked hackers are hammering max-severity React bug, AWS warns. State-backed attackers started poking flaw as soon as it dropped – anyone still unpatched is on borrowed time. Amazon has warned that China-nexus hacking crews began hammering the critical React "React2Shell" vulnerability within hours of disclosure, turning a theoretical CVSS-10 hole into a live-fire incident almost immediately. In a new advisory, AWS said its threat intelligence teams "observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda." 'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole Those attempts were captured through MadPot, Amazon's honeypot network, which logged scanning and exploit traffic tied to infrastructure previously linked to Beijing-aligned operators. The attackers, who are known for exploiting web application bugs to hit organizations, were already flinging specially crafted HTTP requests based on public proof-of-concept exploits, according to Amazon. "China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure," wrote CJ Moses, CISO and VP of Security Engineering at Amazon. "Through monitoring in our AWS MadPot honeypot infrastructure, Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182." The finding adds urgency to warnings earlier this week about CVE-2025-55182, the maximum-severity flaw in React Server Components and dependent frameworks such as Next.js. The bug stems from unsafe deserialization inside React's server-side packages, allowing an unauthenticated attacker to send a crafted request and achieve remote code execution without any authentication. Google-owned Wiz estimates that roughly 39 percent of cloud environments were still running vulnerable versions earlier this week, with React's dominance across the modern web making the potential blast radius enormous. AWS's discovery that state-backed hackers have already pounced on the bug makes clear how fast things have gone from bad to worse. The tech giant says it has deployed mitigations across its managed services, but reiterated that these "aren't substitutes for patching." Customers running React or Next.js on EC2, containers, or self-managed infrastructure are urged to update immediately. Not everyone in the industry is convinced the reaction has been proportionate. Security watcher Kevin Beaumont warned that parts of the sector were working themselves into a frenzy, writing that "the cybersecurity industry overreacts to React vulnerability – starts panic burns own house down again." His view is that while the flaw is serious and patching is non-negotiable, blanket emergency changes by organizations that don't even expose the vulnerable endpoints risk creating self-inflicted outages. One big name already has, according to Beaumont, who says Friday's Cloudflare outage – yes, another one – was the result of the company "taking down their own service while trying to spot an actually very niche vuln." React shipped patched releases the day the vulnerability dropped, covering all affected server-side packages. But the near-instant appearance of malicious traffic means any organization that delayed patching should assume its systems have already been probed. With Chinese state-nexus actors now in the mix and opportunistic criminals likely to follow, the once theoretical patch window has collapsed to zero.