Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/React2Shell Vulnerability Exploited to Compromise 700+ Next.js Hosts
CyberSecurity News

React2Shell Vulnerability Exploited to Compromise 700+ Next.js Hosts

Key Takeaways A widespread automated credential theft operation, attributed to UAT-10608, has compromised over 700 Next.js web application hosts globally. The attackers are exploiting a critical...

Emy Elsamnoudy
Emy Elsamnoudy
April 3, 2026 3 Min Read
27 0

Key Takeaways

  • A widespread automated credential theft operation, attributed to UAT-10608, has compromised over 700 Next.js web application hosts globally.
  • The attackers are exploiting a critical remote code execution vulnerability, React2Shell (CVE-2025-55182), in React Server Components.
  • The campaign steals a wide array of sensitive data, including database credentials, SSH keys, AWS cloud credentials, Stripe payment keys, and GitHub access tokens.
  • Organizations using Next.js must immediately patch their applications and rotate all potentially compromised credentials and tokens.

Automated Credential Theft Campaign Targets Next.js Applications via React2Shell Vulnerability

Cisco Talos cybersecurity researchers have unveiled details of an extensive automated credential theft campaign, linked to the threat actor group UAT-10608, which has successfully breached more than 700 web application servers worldwide. This sophisticated operation primarily targets Next.js applications, leveraging a critical vulnerability known as React2Shell.

Table Of Content

  • Key Takeaways
  • Automated Credential Theft Campaign Targets Next.js Applications via React2Shell Vulnerability
  • UAT-10608 Leverages React2Shell for Widespread Compromise
  • What You Should Do

The attackers exploit CVE-2025-55182, or React2Shell, a severe remote code execution (RCE) flaw found in React Server Components. This vulnerability allows an attacker to execute arbitrary commands on a vulnerable server by sending a specially crafted web request. Crucially, the exploit requires no authentication or user interaction, as the server fails to adequately validate the incoming data before processing it.

UAT-10608 Leverages React2Shell for Widespread Compromise

The UAT-10608 group employs automated scanning tools to identify vulnerable Next.js servers across the internet. Upon identifying a target, they deploy the React2Shell exploit to establish initial access. This initial breach facilitates the download of a malicious script onto the compromised server.

Once deployed, this script operates stealthily in the background, systematically searching the server’s file system, cloud configuration settings, and memory for valuable credentials. This multi-phase process extracts a comprehensive range of sensitive information, from cloud tokens to database passwords, which is then exfiltrated to the attackers’ command-and-control (C2) infrastructure.

To manage the substantial volume of stolen data, the threat actors utilize a custom web-based dashboard named “NEXUS Listener.” Cisco Talos researchers observed that within a mere 24-hour period, this dashboard recorded 766 compromised hosts, underscoring the campaign’s scale and efficiency.

The dashboard’s telemetry revealed the alarming scope of the data theft:

  • Over 90% of affected hosts had their database credentials compromised.
  • Nearly 80% lost their private SSH keys, critical for secure server access.
  • Attackers also successfully exfiltrated AWS cloud credentials, live Stripe payment keys, and GitHub access tokens.

The ramifications of these breaches are severe. Stolen database passwords grant attackers access to sensitive user information and financial records. Compromised SSH keys enable lateral movement within an organization’s network, allowing attackers to access other interconnected servers. Furthermore, stolen cloud credentials can lead to complete takeover of cloud environments, while hijacked GitHub tokens could be weaponized to inject malicious code into legitimate software supply chains.

What You Should Do

  • Patch Immediately: Organizations utilizing Next.js applications must urgently apply all available security updates to address the React2Shell vulnerability (CVE-2025-55182).
  • Rotate Credentials: If your organization uses Next.js, assume compromise and immediately rotate all database passwords, API keys, SSH keys, cloud credentials (e.g., AWS), Stripe payment keys, and GitHub access tokens.
  • Restrict Access: Implement strict access controls for cloud metadata services to limit the potential impact of compromised credentials.
  • Monitor for Anomalies: Continuously monitor server logs and network traffic for any unusual background processes or suspicious activity that could indicate ongoing compromise or data exfiltration.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitHackerPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CERT-EU: Trivy Supply Chain Attack Breached European Commission AWS

Next Post

Critical TP-Link Omada Flaws Let Attackers Crash Routers, Trigger DoS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us