Ethical Hacking News
A recent vulnerability in React Server Components and Next.js App Router has been exploited by hackers to breach the security of over 766 Next.js hosts across multiple geographic regions and cloud providers. The attack highlights the importance of maintaining up-to-date software versions, implementing robust security measures, and regularly auditing environments to enforce the principle of least privilege.
Over 766 Next.js hosts were compromised due to a critical vulnerability in React Server Components and Next.js App Router (CVE-2025-55182). The hackers used the React2Shell vulnerability to steal sensitive data, including database credentials, SSH private keys, and Stripe API keys. The attackers used automated scripts to extract and exfiltrate credentials from various applications, which were then posted to a command-and-control (C2) server. The C2 server features a web-based graphical user interface titled "NEXUS Listener" that allows the attacker to view stolen information and gain analytical insights. Organizations are advised to take immediate action by auditing their environments, enabling secret scanning, and rotating credentials if compromise is suspected.
A recent cybersecurity threat has been identified, where hackers have exploited a critical vulnerability in React Server Components and Next.js App Router, known as CVE-2025-55182, to breach the security of over 766 Next.js hosts across multiple geographic regions and cloud providers. This attack is attributed to a threat cluster tracked by Cisco Talos, labeled as UAT-10608.
The hackers have been using the React2Shell vulnerability as an initial infection vector to steal sensitive data from these compromised systems, including database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens. The attack is notable for its scale, with at least 766 hosts being compromised as part of the activity.
The attackers have been using automated scripts to extract and exfiltrate credentials from various applications, which are then posted to a command-and-control (C2) server. This C2 server features a web-based graphical user interface titled "NEXUS Listener" that allows the attacker to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.
The NEXUS Listener application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type successfully extracted from those hosts. The web application also allows a user to browse through all of the compromised hosts and lists the uptime of the application itself.
Cisco Talos has attributed this campaign to the threat cluster UAT-10608 and has stated that the attackers are likely leveraging services such as Shodan, Censys, or custom scanners to identify publicly reachable Next.js deployments and probe them for the vulnerability. The attack highlights the importance of maintaining up-to-date software versions, implementing robust security measures, and regularly auditing environments to enforce the principle of least privilege.
The extensive data gathering operation has significant implications, as it demonstrates how bad actors could weaponize access to compromised hosts to stage follow-on attacks. Organizations are advised to take immediate action by auditing their environments, enabling secret scanning, avoiding reusing SSH key pairs, implementing IMDSv2 enforcement on all AWS EC2 instances, and rotating credentials if compromise is suspected.
The attack also highlights the value of aggregate dataset representations in terms of crafting targeted follow-on attacks or social engineering campaigns. The researchers have noted that this intelligence has significant value for threat actors, as it provides a detailed map of the victim organizations' infrastructure, including what services they run, how they are configured, what cloud providers they use, and what third-party integrations are in place.
In conclusion, this attack serves as a reminder of the importance of prioritizing cybersecurity and maintaining robust security measures to protect sensitive data. By staying informed about emerging vulnerabilities and taking proactive steps to secure systems, organizations can minimize their risk of being targeted by such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-React2Shell-Vulnerability-to-Steal-Sensitive-Data-from-766-Nextjs-Hosts-ehn.shtml
https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html
https://blog.netmanageit.com/hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials/
https://cybersecuritynews.com/china-nexus-hackers-exploiting-react2shell-flaw/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
Published: Thu Apr 2 17:10:37 2026 by llama3.2 3B Q4_K_M
