Massive Credential Theft: Hackers Exploit Next.js React2Shell Vulnerability
In a swift and alarming cyberattack campaign, hackers have exploited a critical vulnerability known as React2Shell, targeting web applications built on the widely used Next.js framework. Within a mere 24-hour period, attackers compromised 766 servers, exfiltrating vast amounts of sensitive data, including passwords, cloud keys, and database credentials.
Understanding the React2Shell Vulnerability
At the heart of this attack is CVE-2025-55182, commonly referred to as React2Shell. This vulnerability has been assigned the highest severity score of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, underscoring its critical nature. The flaw resides within the React Server Components (RSC) Flight protocol, specifically in how a React server processes HTTP requests to Server Function endpoints. A single crafted HTTP request can enable an attacker to execute arbitrary code on the server without requiring authentication. Given the significant downstream exposure, Next.js has been assigned a separate tracking number, CVE-2025-66478.
The Scope of the Attack
Cisco Talos researchers have identified this automated operation and are tracking it under the threat cluster UAT-10608. The campaign is both systematic and indiscriminate, with attackers utilizing scanning services like Shodan and Censys to identify publicly accessible Next.js deployments running vulnerable versions of React Server Components. Once a target is identified, the attack proceeds autonomously, requiring no manual intervention after the initial exploit is executed.
The scale of the damage is substantial. Across multiple geographic regions and cloud providers, including AWS, Google Cloud, and Microsoft Azure, at least 766 hosts were confirmed breached within a single 24-hour window. The stolen data encompasses a wide range of sensitive information, such as database connection strings, SSH private keys, cloud access tokens, GitHub tokens, Stripe live secret keys, Kubernetes service account credentials, environment variables, and shell command histories. In total, more than 10,120 files were exfiltrated from the compromised systems.
Potential for Supply Chain Attacks
The implications of this campaign extend beyond immediate account takeovers. Several breached hosts contained package registry authentication files, including npm and pip configuration files that stored registry credentials. If attackers leverage these tokens to push malicious versions of trusted software packages, the impact could cascade to any organization that installs these compromised packages, posing a significant supply chain threat.
The NEXUS Listener: Command and Control at Scale
To manage the influx of stolen information from hundreds of servers, the attackers deployed a custom command-and-control framework known as NEXUS Listener. This web-based platform, currently at version 3, provides operators with a graphical dashboard to browse compromised hosts, categorize stolen credentials, review harvesting statistics, and monitor the success rate of credential extraction in each attack phase.
The attack sequence initiates when a vulnerable endpoint is identified, and a malicious HTTP request is sent to the RSC Server Function endpoint. The server deserializes the crafted payload and executes arbitrary code, deploying a lightweight shell script into a temporary directory under a randomized file name to evade detection. This dropper then retrieves a multi-phase credential harvesting script from the attacker’s infrastructure. Each phase collects different types of data, from SSH keys and cloud tokens to database passwords, and reports back to the NEXUS Listener command-and-control server on port 8080, including the number of credentials successfully extracted.
Mitigation and Recommendations
Given the severity and active exploitation of the React2Shell vulnerability, immediate action is imperative for organizations using React Server Components and Next.js. The following steps are strongly recommended:
1. Update Frameworks and Libraries: Ensure that all React and Next.js applications are updated to the latest patched versions that address the React2Shell vulnerability.
2. Implement Web Application Firewalls (WAF): Deploy WAF solutions to detect and block malicious HTTP requests attempting to exploit known vulnerabilities.
3. Conduct Security Audits: Regularly perform comprehensive security audits to identify and remediate potential vulnerabilities within your applications and infrastructure.
4. Monitor for Unusual Activity: Establish continuous monitoring mechanisms to detect anomalous behavior indicative of a compromise, such as unexpected outbound traffic or unauthorized access attempts.
5. Educate Development Teams: Provide ongoing security training for development teams to ensure they are aware of best practices and emerging threats related to the technologies they use.
By proactively addressing these areas, organizations can significantly reduce the risk posed by the React2Shell vulnerability and enhance their overall security posture.
