News about the fast-breaking React2Shell bug has security pros saying it could force the industry to rethink how to operate in the AI era, including redefining patching schedules and our notions about 24-7-365 uptime from service providers. Most cybersecurity pros are now well aware of this 10.0 flaw: AWS researchers reported on Dec. 4 that within hours of the public disclosure of React2Shell (CVE-2025-55182) on Dec. 3, the bug was actively exploited in the wild by multiple China-state threat groups, including Earth Lamia and Jackpot Panda.Cloudflare determined that the React2Shell was so dangerous that it was willing to sustain a short 25-minute outage to fix the bug.In a Dec. 5 blog post, Cloudflare said the outage was not a cyberattack on Cloudflare’s systems or malicious activity of any kind.Instead, the internet services firm said it was "triggered by changes being made to the company’s body parsing logic while attempting to detect and mitigate" the React2Shell bug.“The Cloudflare outage isn't just an operational incident, it's a case study in how mature organizations are now making real-time risk calculations with global consequences,” said Denis Calderone, chief operating officer at Suzu Labs. “The Chinese threat actor involvement isn't surprising, but the speed and sophistication of their response is a wake-up call.”Related reading:
Calderone added that Cloudflare made the right call, and organizations watching from the sidelines should take note, pointing out that when a company that literally runs a significant portion of internet infrastructure decides the risk of active exploitation was worse than voluntarily taking services down, that's a signal to security pros.“This wasn't a configuration mistake or a botched deployment, as we have seen before, but rather this was a calculated decision that the vulnerability was so dangerous they couldn't wait for a maintenance window,” explained Calderone. “Security teams still debating whether to patch over the weekend just got their answer."
The latest campaign by Chinese state actors exploiting React2Shell, emphasizes the increased speed advanced threat actors exploit critical vulnerabilities upon public disclosure, said Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch. Threat actors are not relying solely on automated scans. Rucker pointed out that attacks on AWS honeypots observed a mix of public, including broken, exploits combined with iterative manual testing and real-time troubleshooting against live targets.Observed behaviors included attempts to execute Linux commands (whoami, id), create files (/tmp/pwned.txt), and read system files (/etc/passwd/). This active debugging confirms rapid, targeted engagement with the flaw.“The traditional 30-day patching timeline should no longer be considered a viable mitigation against malicious actors for key operational technologies,” said Rucker. “As experienced professionals in system administration and vulnerability management, we recognize the inherent risk in high-speed, emergency deployments. “Suzu Labs’ Calderone added that what's notable in this case isn't just how quickly that China-linked Earth Lamia and Jackpot Panda jumped on the vulnerability, it's the operational discipline involved. AWS observed them debugging exploits in real-time against honeypots, refining their payloads on the fly.“These aren't script kiddies running automated scans, these are well-resourced operators with processes built to weaponize new vulnerabilities within hours of disclosure,” said Calderone. “The window between ‘zero-day’ and 'everyone's a target' has essentially collapsed. Organizations need to internalize that threat actors are watching the same CVE feeds they are and moving faster than the defenders in many cases."
Vulnerability Management, Patch/Configuration Management, Network Security, AI/ML, Exposure management
React2Shell bug exploited by China-linked groups, fix briefly disrupts Cloudflare

(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



