Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Analysts warned CVE-2025-55182 could be a dangerous vulnerability – sadly, they were right, as Chinese hackers enjoy a field day of exploitation.
It’s the perfect 10 vulnerability that had everyone worried last week, and now we’re finding out just how right those concerns were.
Within 24 hours of CVE-2025-55182 being disclosed on 3 December, Amazon’s threat intelligence teams were seeing multiple threat actors linked to China attempting to exploit the bug – roughly the same time frame that saw the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) release its own warning.
“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalising public exploits within hours or days of disclosure,” AWS said in a 4 December blog post.
“Through monitoring in our AWS MadPot honeypot infrastructure, Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182.”
The numbers already speak to the severity of the problem. Palo Alto Networks has seen more than 30 organisations compromised as of 6 December, while the not-for-profit Shadowserver Foundation was tracking more than 77,000 vulnerable IP addresses as of the same date.
As of the time of writing, 532 organisations in Australia are vulnerable.
The nature of the exploitation attempts appears to be quite mixed, with cyber security firm GreyNoise seeing “a mix of fresh and legacy infrastructure” in play.
“The HTTP client and TCP stack fingerprints are overwhelmingly automation-heavy, not organic browsing,” GreyNoise said in a 5 December blog post.
“There’s also an early focus on just this vulnerability, but we’ve already detected a slow migration of this CVE being added to Mirai and other botnet exploitation kits.”
Unsurprisingly, the US Cybersecurity and Infrastructure Security Agency has already added CVE-2025-55182 to its Known Exploited Vulnerability Catalog.
CVE-2025-55182 was first reported to the React dev team on 29 November by security consultant Lachlan Davidson. If exploited, it could allow an attacker to achieve unauthenticated remote code execution in several vulnerable packages, in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
According to the React team, a fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1, and they recommend upgrading immediately, as does watchTowr’s CEO, Benjamin Harris.
“If you’ve got React served apps anywhere in your stack, you must move now: apply patches immediately, implement WAF mitigations, and actively hunt for any signs of exposure,” he said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
