React2Shell Vulnerability Exploited to Compromise 700+ Next.js Hosts
Key Takeaways A widespread automated credential theft operation, attributed to UAT-10608, has compromised over 700 Next.js web application hosts globally. The attackers are exploiting a critical...
Key Takeaways
- A widespread automated credential theft operation, attributed to UAT-10608, has compromised over 700 Next.js web application hosts globally.
- The attackers are exploiting a critical remote code execution vulnerability, React2Shell (CVE-2025-55182), in React Server Components.
- The campaign steals a wide array of sensitive data, including database credentials, SSH keys, AWS cloud credentials, Stripe payment keys, and GitHub access tokens.
- Organizations using Next.js must immediately patch their applications and rotate all potentially compromised credentials and tokens.
Automated Credential Theft Campaign Targets Next.js Applications via React2Shell Vulnerability
Cisco Talos cybersecurity researchers have unveiled details of an extensive automated credential theft campaign, linked to the threat actor group UAT-10608, which has successfully breached more than 700 web application servers worldwide. This sophisticated operation primarily targets Next.js applications, leveraging a critical vulnerability known as React2Shell.
Table Of Content
The attackers exploit CVE-2025-55182, or React2Shell, a severe remote code execution (RCE) flaw found in React Server Components. This vulnerability allows an attacker to execute arbitrary commands on a vulnerable server by sending a specially crafted web request. Crucially, the exploit requires no authentication or user interaction, as the server fails to adequately validate the incoming data before processing it.
UAT-10608 Leverages React2Shell for Widespread Compromise
The UAT-10608 group employs automated scanning tools to identify vulnerable Next.js servers across the internet. Upon identifying a target, they deploy the React2Shell exploit to establish initial access. This initial breach facilitates the download of a malicious script onto the compromised server.
Once deployed, this script operates stealthily in the background, systematically searching the server’s file system, cloud configuration settings, and memory for valuable credentials. This multi-phase process extracts a comprehensive range of sensitive information, from cloud tokens to database passwords, which is then exfiltrated to the attackers’ command-and-control (C2) infrastructure.
To manage the substantial volume of stolen data, the threat actors utilize a custom web-based dashboard named “NEXUS Listener.” Cisco Talos researchers observed that within a mere 24-hour period, this dashboard recorded 766 compromised hosts, underscoring the campaign’s scale and efficiency.
The dashboard’s telemetry revealed the alarming scope of the data theft:
- Over 90% of affected hosts had their database credentials compromised.
- Nearly 80% lost their private SSH keys, critical for secure server access.
- Attackers also successfully exfiltrated AWS cloud credentials, live Stripe payment keys, and GitHub access tokens.
The ramifications of these breaches are severe. Stolen database passwords grant attackers access to sensitive user information and financial records. Compromised SSH keys enable lateral movement within an organization’s network, allowing attackers to access other interconnected servers. Furthermore, stolen cloud credentials can lead to complete takeover of cloud environments, while hijacked GitHub tokens could be weaponized to inject malicious code into legitimate software supply chains.
What You Should Do
- Patch Immediately: Organizations utilizing Next.js applications must urgently apply all available security updates to address the React2Shell vulnerability (CVE-2025-55182).
- Rotate Credentials: If your organization uses Next.js, assume compromise and immediately rotate all database passwords, API keys, SSH keys, cloud credentials (e.g., AWS), Stripe payment keys, and GitHub access tokens.
- Restrict Access: Implement strict access controls for cloud metadata services to limit the potential impact of compromised credentials.
- Monitor for Anomalies: Continuously monitor server logs and network traffic for any unusual background processes or suspicious activity that could indicate ongoing compromise or data exfiltration.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.