React2Shell: The Zero‑Day That Broke the Internet (and Your Weekend)
Chinese state-linked hackers are actively exploiting a brand-new critical vulnerability dubbed React2Shell, and the scramble to patch it just knocked parts of Cloudflare offline with 500 errors for a few minutes. [2] This thing has a perfect 10.0 CVSS score, is already in CISA’s Known Exploited Vulnerabilities catalog, and attackers are scanning the internet at scale for anything they can pop. [2][4][5]
React2Shell is a critical flaw tracked as CVE-2025-55182, impacting a widely used open-source component referred to as React2Shell that’s embedded in thousands of digital products. [2] Amazon Integrated Security (AWS) says their MadPot honeypot network is seeing exploitation attempts from infrastructure previously linked to China-nexus groups Earth Lamia and Jackpot Panda. [2] These are not script-kiddie crews: Earth Lamia was tied to a critical SAP NetWeaver exploit earlier this year, while Jackpot Panda has a history of supply-chain compromises like the Comm100/CloudChat operation (aka Operation ChattyGoblin). [2]
The vulnerability has a CVSS score of 10.0, and CISA has already pushed CVE-2025-55182 into the KEV catalog, which is the “drop everything and patch this now” list for federal networks and strongly recommended for everyone else. [2][4] Multiple public proof-of-concept exploits have landed, lowering the bar for opportunistic attackers, although some PoCs floating around are malicious or fake, which adds another layer of risk during incident response. [4]
AWS reports that attackers are using the React2Shell exploit to run classic post-exploitation commands like whoami, read sensitive files such as /etc/passwd, and even drop marker files like /tmp/pwned.txt on compromised systems. [2] They are bundling this bug with other N-day vulnerabilities, like a flaw in NUUO Camera (CVE-2025-1338), and scanning broadly for any unpatched target they can reach. [2]
To make things more chaotic, Cloudflare pushed a change to its Web Application Firewall to help mitigate the React2Shell / React Server Components class of issues, and that protection update itself caused a brief but wide 500 Internal Server Error outage across its network. [2] Cloudflare explicitly said this was not an attack but a bad rules change in how the WAF parses requests, deployed in response to this “industry-wide vulnerability” in React Server Components. [2]
For developers and power users, this matters on three levels:
First, if you ship or deploy anything that embeds this React2Shell component or frameworks/libraries that rely on it, you’re now squarely in “assume active exploitation” territory until you patch. [2][4][5] Second, the exploit is already weaponized by state-linked actors and being sprayed across the internet, so this is not a theoretical CVE that can sit in your backlog. [2][5] Third, Cloudflare’s outage is the perfect example of how the defensive blast radius of a rushed mitigation can hit uptime, user experience, and your on-call team just as hard as the exploit itself. [2]
On the ops side, you should assume vulnerable internet-facing services are being scanned right now, and that logs will show noisy probes intermixed with a smaller number of actual exploitation attempts. [2][5] The presence of commands like whoami, attempts to read /etc/passwd, or odd temporary files is a clear signal that someone has moved from scanning to post-exploitation. [2] Given the KEV listing and the scale of scanning, many organizations will end up doing emergency patching, compensating controls (WAF rules, IP blocking), and quick triage of suspicious hosts all at once. [4][5]
If you’re running infrastructure that might embed this vulnerable component (directly or via a dependency tree), here’s the sort of thing you should be doing right now on Linux boxes to hunt for obvious compromise patterns AWS observed: [2]
# 1. Look for the AWS-observed marker file
sudo find / -path /proc -prune -o -path /sys -prune -o -name "pwned.txt" 2>/dev/null
# 2. Grep recent logs for React2Shell-style exploit attempts
sudo grep -R "whoami" /var/log/* 2>/dev/null | tail
sudo grep -R "/etc/passwd" /var/log/* 2>/dev/null | tail
# 3. Quick process check for suspicious shells spawned by your web stack
ps aux | egrep "node|react|nginx|apache" | egrep "sh|bash|python|curl|wget"Obviously, this is just quick-and-dirty triage, not full IR, but it’s better than staring at a blinking cursor while the KEV entry mocks you. [2][4][5]
My take: React2Shell is another loud reminder that our entire stack is now one giant, tangled supply chain, and when a core building block gets a 10.0 vuln, everybody pays—vendors, clouds, frameworks, and end users. The Cloudflare incident underlines a brutal truth: we’ve reached a point where defending against zero-days can knock more services offline than some of the attackers do, and if you’re not designing for “patch fast without burning the house down,” you’re already behind.
