A sophisticated, large-scale credential theft campaign is actively exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. According to Cisco Talos researchers, threat actors are using automated scanning to identify vulnerable apps, deploying a multi-phase harvesting script to steal a wide array of sensitive data. The campaign, attributed to a threat cluster tracked as UAT-10608, has already compromised at least 766 hosts across multiple cloud providers and global regions. The operation's primary goal is the automated collection of database credentials, AWS keys, SSH private keys, API tokens, and environment secrets from breached systems.
The attack leverages a custom framework dubbed "NEXUS Listener" to manage the exfiltration process. After exploiting the React2Shell flaw, attackers place a script in the target's temporary directory. This script executes a credential-harvesting routine, systematically searching for and collecting sensitive information. The stolen data is then exfiltrated in chunks via HTTP requests over port 8080 to a command-and-control (C2) server running the NEXUS Listener. Researchers who gained access to an exposed instance of this listener were able to analyze the operation in detail, noting that it provides attackers with a comprehensive dashboard for searching and filtering the harvested data.
The React2Shell vulnerability (CVE-2025-55182) presents a critical remote code execution (RCE) risk for certain Next.js applications. It allows attackers to inject and execute arbitrary code on the server, providing the initial foothold for this automated campaign. The shift towards automated, large-scale exploitation of such application-level vulnerabilities signifies a concerning trend where attackers can rapidly scale operations to target thousands of potential victims with minimal manual intervention, focusing on the theft of cloud and infrastructure secrets that grant immediate access to valuable resources.
Organizations using Next.js are urged to immediately patch their applications and review systems for signs of compromise. Security teams should monitor for unexpected outbound connections on port 8080 and scrutinize processes running from temporary directories. Furthermore, given the campaign's focus on cloud credentials, enforcing strict principle of least privilege for IAM roles, regularly rotating API keys and secrets, and employing robust secrets management solutions are critical defensive measures to limit the blast radius of such intrusions.
