Critical Next.js React2Shell flaw exploited to steal credentials from 766 hosts
Key Takeaways A critical vulnerability, CVE-2025-55182 (React2Shell), in Next.js React Server Components is being actively exploited. Attackers leveraged this flaw to compromise 766 servers in 24...
Key Takeaways
- A critical vulnerability, CVE-2025-55182 (React2Shell), in Next.js React Server Components is being actively exploited.
- Attackers leveraged this flaw to compromise 766 servers in 24 hours, stealing credentials and sensitive data across major cloud providers.
- The threat actor, UAT-10608, uses an automated attack chain and a custom C2 framework called NEXUS Listener.
- The vulnerability has a CVSS score of 10.0, allowing unauthenticated remote code execution.
- Immediate patching and credential rotation are crucial for affected Next.js applications.
A severe security vulnerability, dubbed React2Shell and tracked as CVE-2025-55182, is currently under active exploitation, impacting web applications built using the popular Next.js framework. This widespread cyberattack campaign has rapidly compromised numerous internet-facing systems.
Table Of Content
Within a mere 24-hour period, threat actors successfully breached 766 servers, exfiltrating a substantial volume of sensitive information, including passwords, cloud keys, and database credentials.
The React2Shell Vulnerability
The core of this attack lies in CVE-2025-55182, also known as React2Shell, which carries a maximum CVSS severity score of 10.0. This critical flaw resides within the React Server Components (RSC) Flight protocol, specifically concerning how a React server processes HTTP requests directed at Server Function endpoints. The vulnerability allows an attacker to execute arbitrary code on the server through a single, specially crafted HTTP request, requiring no prior authentication. Due to its significant downstream impact, Next.js has also been assigned a separate tracking number, CVE-2025-66478, for its exposure to this flaw.
Researchers at Cisco Talos identified this highly automated operation, attributing it to a threat cluster they are now tracking as UAT-10608.
Automated and Indiscriminate Attacks
The campaign exhibits a systematic and indiscriminate approach. Attackers utilize scanning services such as Shodan and Censys to sweep the internet for publicly accessible Next.js deployments running vulnerable versions of React Server Components. Once a target is identified, the entire exploitation and data exfiltration process proceeds autonomously, requiring no further manual intervention after the initial exploit is triggered.
The extent of the damage is considerable. Across diverse geographical regions and major cloud providers, including AWS, Google Cloud, and Microsoft Azure, at least 766 hosts were confirmed compromised within a single day. The stolen data encompasses a wide array of critical assets, such as database connection strings, SSH private keys, cloud access tokens, GitHub tokens, Stripe live secret keys, Kubernetes service account credentials, environment variables, and shell command histories. More than 10,120 files were collectively harvested from the affected systems.
The ramifications of this campaign extend beyond immediate account takeover. Several breached hosts exposed package registry authentication files, including npm and pip configuration files containing registry credentials. Should attackers leverage these tokens to inject malicious versions of trusted software packages, the potential harm could propagate to any organization that installs those packages, thereby posing a significant supply chain threat.
The NEXUS Listener: Orchestrating Data Exfiltration
To manage the torrent of stolen information from hundreds of compromised servers, UAT-10608 has deployed a bespoke command-and-control (C2) framework named NEXUS Listener. This web-based platform, currently in its third version, furnishes operators with a graphical dashboard. From this interface, they can browse compromised hosts, categorize stolen credentials, review harvesting statistics, and ascertain the number of credentials successfully extracted during each phase of an attack.
The attack sequence begins with the identification of a vulnerable endpoint, followed by the transmission of a single malicious HTTP request to the RSC Server Function endpoint. The server then deserializes the crafted payload, executing arbitrary code. This action drops a lightweight shell script into a temporary directory under a randomized filename, aiming to evade detection. This initial dropper subsequently retrieves a multi-phase credential harvesting script from the attacker’s infrastructure.
Each subsequent phase is dedicated to collecting a different category of data, ranging from SSH keys and cloud tokens to database passwords. This harvested information is then reported back to the NEXUS Listener C2 server on port 8080, along with the victim’s hostname and a phase identifier. The highly automated nature of this process explains how UAT-10608 managed to compromise hundreds of systems with such speed.
What You Should Do
- Immediately apply patches to the latest available version of Next.js for organizations utilizing App Router or any implementation of React Server Components.
- Rotate all secrets in potentially affected environments, including AWS keys, database passwords, SSH keys, API tokens, and GitHub tokens, without delay.
- Audit containers for overly permissive roles and enforce IMDSv2 on cloud instances to enhance security.
- Cease reusing SSH key pairs across different systems to limit lateral movement in case of compromise.
- Implement robust monitoring of outbound HTTP traffic from application containers, specifically looking for unexpected connections to unknown IP addresses on port 8080, as this can indicate an active breach.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.