React2Shell is a critical unauthenticated remote code execution vulnerability tracked as CVE-2025-55182 in React Server Components and related frameworks like Next.js. The flaw arises because unsafe de-serialization in the internal Flight protocol allows attackers, without logging in or valid credentials, to send a specially crafted HTTP request that gets executed on the server. This gives the attacker arbitrary command execution in the context of the vulnerable application process.
Within hours of the vulnerabilityโs public disclosure on 3 December 2025, multiple malicious actors began exploiting it in the wild. Initially, China-linked cyber-criminal advanced persistent threat groups were observed rapidly weaponizing the flaw. Two identified groups, Earth Lamia and Jackpot Panda, both linked to Chinese interests, commenced active exploitation campaigns almost immediately after disclosure, using both automated scanning tools and manual exploitation to gain access to vulnerable servers. Their activities included executing reconnaissance commands, attempting to steal credentials, deploying crypto-mining tools, and establishing initial access footholds on compromised systems.
Subsequent analysis showed that exploitation was not limited to those two groups. Other China-sponsored threat actor, such as UNC5174 were also implicated in operational activity tied to the vulnerability.
In addition to China-linked exploitation, North Korean threat actors have been linked to targeted campaigns leveraging this flaw. These actors deployed a sophisticated malware called EtherRAT post-exploitation, which uses multiple persistence techniques, Node.js runtime manipulation, and even blockchain-based command-and-control mechanisms to maintain access and evade detection. EtherRAT activity associated with this exploitation chain was observed in real compromises shortly after disclosure, demonstrating that multiple nation-state groups are aligned to exploit React2Shell for distinct objectives.
Exploitation has been observed at scale, affecting tens of thousands of exposed servers, and has resulted in confirmed breaches at more than 30 organizations across sectors. Automated botnets and opportunistic scans contributed to the rapid spread of attacks alongside focused activity by the cyber-criminal state-linked actors.
In conclusion, React2Shell was widely exploited almost immediately after public disclosure using shared proof-of-concept exploits and automated tools. Primary malicious actors include China-linked groups such as Earth Lamia, Jackpot Panda, and UNC5174, as well as North Korean actors deploying malware EtherRAT, each exploiting the vulnerability for remote code execution, access, and other post-compromise objectives.