Hackers Use CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Authentication
Massive harvesting activity was observed using the React2Shell vulnerability as the primary infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.
Cisco Talos revealed that the operation was caused by a group of threats that it follows as UAT-10608. At least 766 hosts from multiple locations and cloud providers were compromised as part of the operation.
“Post-compromise, UAT-10608 uses automated scripts to extract and extract credentials from a variety of applications, which are then sent to its command-and-control (C2),” security researchers Asheer Malhotra and Brandon White said in a report shared with Hacker News before publication.
“C2 hosts a web-based graphical user interface (GUI) titled ‘NEXUS Listener’ that can be used to view stolen information and obtain analytical information using pre-collected statistics about harvested credentials and vulnerable hosts.”
The campaign is being tested to target Next.js applications vulnerable to CVE-2025-55182 (CVSS score: 10.0), a critical flaw in React Server Components and Next.js App Router that can lead to remote code execution, to initially access, and bring down the NEXUS listener cluster frame.
This is accomplished using a dropper that continuously emits a multi-stage harvesting script that collects various details on the compromised system –
- Environmental variables
- The parsed JSON object from the JS runtime
- SSH private keys and authorized_keys
- Shell command history
- Kubernetes service account tokens
- Docker container configuration (running containers, their images, exposed ports, network configuration, mount points, and environment variables)
- API keys
- Provisional credentials related to the IAM role by querying the Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure
- Active processes
The cybersecurity firm said the breadth of the victim set and the indiscriminate targeting pattern are compatible with automated scanning, available tools such as Shodan, Censys, or custom scanners, to identify Next.js deployments that are publicly accessible and investigate vulnerabilities.
Central to the framework is a password-protected web application that makes all stolen data available to the operator through a user interface that includes search capabilities to filter information.
“The application contains a list of several statistics, including the number of vulnerable hosts and the total number of each type of authentication successfully issued to those hosts,” Talos said. “The web application allows the user to browse all the vulnerable hosts. It also lists the last time of the application itself.”
The current version of NEXUS Listener is V3, which shows that the tool has evolved many times before reaching the current stage.
Talos, which was able to obtain data from an unauthorized NEXUS listener instance, said it contained API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), as well as Telegram bot tokens, web secrets, other strings of GitLa applications, GitLa application tokens, GitLa application tokens and databases.
Extensive data collection work highlights how bad actors can leverage access to vulnerable hosts for subsequent attacks. Organizations are advised to audit their environments to implement a least privilege policy, enable private scanning, avoid reusing SSH key pairs, implement IMDSv2 implementations for all AWS EC2 instances, and rotate credentials if a compromise is suspected.
“Besides the immediate operational value of individual data, the combined data set represents a detailed map of the infrastructure of the victim organizations: what services are running on them, how they are configured, which cloud providers they use, and what third-party integrations are in place,” the researchers said.
“This intelligence has significant value for building targeted targeted attacks, social engineering campaigns, or selling access to other threat actors.”
