Close Menu
Cybercrime and Ransomware

Hackers Exploit Next.js React2Shell Flaw to Steal Credentials from 766 Hosts in 24 Hours

Staff WriterBy No Comments4 Mins Read1 Views

Fast Facts

  1. A fast-spreading cyberattack exploits the critical React2Shell flaw (CVE-2025-55182) in Next.js, breaching 766 servers in 24 hours and stealing sensitive data like passwords and cloud keys.
  2. The attack operates automatically using a command-and-control framework called NEXUS Listener, enabling hackers to harvest and organize credentials remotely without manual intervention.
  3. The vulnerability allows code execution through a crafted HTTP request, targeting React Server Components, with downstream effects including potential supply chain risks from compromised package registry credentials.
  4. Urgent mitigation steps include applying security patches, rotating secrets, auditing systems, and monitoring network traffic to prevent or detect ongoing breaches.

The Core Issue

A highly dangerous cyberattack campaign is currently exploiting a critical security flaw called React2Shell, severely affecting web applications across the internet. Within just 24 hours, hackers managed to break into 766 servers built on the popular Next.js framework, stealing vast amounts of sensitive data such as passwords, cloud keys, and database credentials. This attack centers on a vulnerability known as CVE-2025-55182, which affects the React Server Components (RSC) Flight protocol. Because this flaw allows attackers to execute code on servers without needing authentication through a single malicious HTTP request, it created a wide-scale, automated operation. Cisco Talos researchers linked this activity to the threat group UAT-10608, which systematically scans for vulnerable Next.js deployments using services like Shodan or Censys. After identifying targets, the attackers deploy malicious scripts that harvest and transmit sensitive data through a custom control platform called NEXUS Listener, enabling them to manage the stolen information at scale. The widespread damage, affected cloud providers, and the potential for exploitation of saved secrets—such as package registry credentials—make this an urgent security concern. Experts recommend immediate patching of affected systems, rotating all exposed secrets, and enhancing monitoring of network traffic to prevent further breaches.

Risks Involved

The recent hacking incident exploiting the Next.js React2Shell flaw highlights a critical risk that any business faces today. If cybercriminals target this vulnerability, they can swiftly gain access to your systems, stealing sensitive credentials from hundreds of hosts within hours. This breach can lead to data theft, financial loss, and damage to your reputation—all of which threaten your operational stability. Moreover, once compromised, your business might experience costly downtime, customer mistrust, and legal repercussions. Therefore, understanding and addressing such vulnerabilities is essential; neglecting them could result in rapid and extensive harm to your organization’s security and trustworthiness.

Possible Actions

Addressing vulnerabilities swiftly is essential to prevent widespread damage and protect sensitive data. Rapid remediation minimizes attack windows and reduces potential harm within the network. Without timely action, compromised systems can serve as launching pads for further breaches, leading to extensive operational and reputational impacts.

Mitigation Strategies

Identify:

  • Conduct quick asset discovery to locate affected systems.
  • Gather details about the specific Next.js React2Shell flaw.

Protect:

  • Apply the latest security patches and updates immediately.
  • Enable Web Application Firewall (WAF) rules specifically blocking exploit vectors.
  • Limit exposure by restricting access to administrative interfaces.

Detect:

  • Monitor logs for unusual activity indicative of exploitation.
  • Use intrusion detection systems (IDS) to identify malicious traffic.

Respond:

  • Isolate compromised hosts to prevent lateral movement.
  • Inform stakeholders and coordinate incident response protocols.
  • Document actions taken for future analysis.

Recover:

  • Restore affected systems from cleaned backups.
  • Validate system integrity before returning to production.
  • Review security controls and improve defenses to prevent recurrence.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.