More China-linked groups exploit React2Shell CVE-2025-55182 zero-day

The Google Threat Intelligence Group linked five more China-linked threat groups to the ongoing exploitation of the React2Shell vulnerability.

Experts said the recent development increased the urgency that security teams patch the flaw right away as CVE-2025-55182 has a 10.0 CVSS and was already exploited by multiple Chinese groups, including Earth Lamia and Jackpot Panda. It also was placed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

React2Shell took the security world by storm earlier this month when on Dec. 4 AWS researchers reported that the bug was actively exploited within hours of public disclosure the day before on Dec. 3.

According to GTIG, the list of China-linked threat groups exploiting the flaw now also includes: UNC6600 (MINOCAT tunneler), UNC6586 (SNOWLIGHT downloader), UNC6588 (COMPOOD backdoor), UNC6603 (updated version of HISONIC backdoor), and UNC6595 (Remote Access Trojan).

Related reading:

Denis Calderone, chief operating officer at Suzu Labs, said while threat actors have always raced to weaponize high-value vulnerabilities, what’s  noteworthy here is the speed in which five distinct Chinese groups — each with different toolkits — operationalized the same exploit within days of public disclosure.

“That timeline used to be measured in weeks,” said Calderone. “The diversity of malware being deployed, such as tunnelers, downloaders, and backdoors, tells us these groups aren't coordinating with each other. They are just executing on the universal playbook to move fast before the patch window closes.”

Calderone added that what's changed isn't the behavior so much as the tooling: AI-assisted exploit development and automated attack infrastructure have compressed weaponization timelines dramatically.

“A 10.0 CVSS in a widely deployed framework is still catnip for anyone with offensive capability, but now the window between when the vulnerability gets disclosed and when we see it exploited in the wild is shrinking to hours, not days,” said Calderone. “That's the real story: the race hasn't changed, but everyone's gotten faster."

Frankie Sclafani, director of cybersecurity enablement at Deepwatch, added that the swift mobilization of five distinct China-linked groups targeting React2Shell highlights the industrialized nature of China’s cyber espionage ecosystem. Sclafani said it boosts the assumption that many threat intelligence researchers have had for many years: that China-linked groups operate with a high degree of readiness and potential intelligence sharing.

“When a critical vulnerability like React2Shell gets disclosed, these actors seem to execute pre-planned strategies to establish persistence before patching occurs,” noted Sclafani. “The variety of deployed tools, such as the MINOCAT tunneler and COMPOOD backdoor, indicates that these groups maintain diverse, adaptable, modular arsenals ready for immediate deployment. This highlights the reality that speed-to-exploit is now a primary metric of state-sponsored tradecraft.”

Mike McGuire, senior security solutions manager at Black Duck, said he’s especially concerned about React2Shell because it lets attackers  blend in and stay hidden for longer. McGuire said the broader takeaway is that attackers will continue to pivot quickly to weaknesses deep in the web application stack.

“Organizations need to assume these vulnerabilities will be targeted immediately and make sure their patching processes, SBOM-driven visibility, and monitoring can keep up,” said McGuire. “They should  proactively maintain visibility into all their open source dependencies and spring to action quickly when severe, widespread vulnerabilities like this are discovered.”

Andi Ursry a threat intelligence analyst at Blackpoint Cyber, added that based on what we see in the SOC, this looks less like a uniquely Chinese tactic and more like what happens whenever a CVSS 10 RCE with a public PoC hits the ecosystem.

Ursry said, in practice, once a PoC is public for a vulnerability like this, we expect multiple threat groups to pile on. We see this pattern repeatedly. Ursry said it’s not about who finds it first, but who can operationalize it fastest.

“What made this messy wasn’t just the vulnerability, but the combination of severity and exposure surface, as well as the speed at which exploitation followed disclosure,” said Ursry. “The most dangerous part of React2Shell isn’t the initial exploit…it’s what comes after, and we continue to monitor for persistence, lateral movement, and reuse across environments that didn’t realize they were exposed.”