Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

Summary

A threat cluster tracked as UAT-10608 has exploited CVE-2025-55182, a critical remote code execution vulnerability in React Server Components and Next.js App Router (CVSS 10.0), to compromise at least 766 Next.js hosts globally. Post-compromise, the attackers deploy automated scripts and a web-based framework called NEXUS Listener (v3) to harvest and exfiltrate sensitive data including database credentials, SSH keys, AWS secrets, API keys from Stripe and OpenAI, and GitHub tokens. The campaign uses indiscriminate scanning (likely Shodan/Censys) to identify vulnerable deployments and represents a significant risk for follow-on attacks and credential reuse across victim organizations.

Full text

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Ravie LakshmananApr 02, 2026Vulnerability / Threat Intelligence A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608. At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity. "Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2)," security researchers Asheer Malhotra and Brandon White said in a report shared with The Hacker News ahead of publication. "The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised." The campaign is assessed to be targeting Next.js applications that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that could result in remote code execution, for initial access, and then dropping the NEXUS Listener collection framework. This is accomplished by means of a dropper that proceeds to deploy a multi-phase harvesting script that collects various details from the compromised system - Environment variables JSON-parsed environment from JS runtime SSH private keys and authorized_keys Shell command history Kubernetes service account tokens Docker container configurations (running containers, their images, exposed ports, network configurations, mount points, and environment variables) API keys IAM role-associated temporary credentials by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure Running processes The cybersecurity company said the breadth of the victim set and the indiscriminate targeting pattern align with automated scanning, likely leveraging services like Shodan, Censys, or custom scanners, to identify publicly reachable Next.js deployments and probe them for the vulnerability. Central to the framework is a password-protected web application that makes all the stolen data available to the operator via a graphical user interface that features search capabilities to sift through the information. "The application contains a listing of several statistics, including the number of hosts compromised and the total number of each credential type that were successfully extracted from those hosts," Talos said. "The web application allows a user to browse through all of the compromised hosts. It also lists the uptime of the application itself." The current version of NEXUS Listener is V3, indicating that the tool has undergone substantial development iterations before reaching the current stage. Talos, which was able to obtain data from an unauthenticated NEXUS Listener instance, said it contained API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), along with Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application secrets. The extensive data gathering operation highlights how bad actors could weaponize access to compromised hosts to stage follow-on attacks. Organizations are advised to audit their environments to enforce the principle of least privilege, enable secret scanning, avoid reusing SSH key pairs, implement IMDSv2 enforcement on all AWS EC2 instances, and rotate credentials if compromise is suspected. "Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations' infrastructure: what services they run, how they're configured, what cloud providers they use, and what third-party integrations are in place," the researchers said. "This intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Amazon Web Services, Cisco Talos, Cloud security, cybersecurity, data breach, remote code execution, Threat Intelligence, Vulnerability Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• cve — CVE-2025-55182
• malware — NEXUS Listener
• malware — React2Shell

Entities