A large-scale credential harvesting campaign attributed to Cisco Talos cluster UAT-10608 exploits the React2Shell vulnerability in Next.js (CVE-2025-55182) to achieve remote code execution and deploy the NEXUS Listener framework that steals database credentials, SSH keys, cloud IAM tokens, API keys, and other secrets. At least 766 hosts across multiple regions and cloud providers were compromised using automated scanning for discovery, and organizations are urged to enforce least privilege, enable secret scanning, implement IMDSv2, avoid SSH key reuse, and rotate credentials if compromise is suspected. #React2Shell #UAT-10608 #NEXUSListener #Nextjs #CVE-2025-55182
Keypoints
- UAT-10608 exploited CVE-2025-55182 in Next.js React Server Components to gain initial remote code execution.
- The campaign deployed a multi-phase dropper that harvested environment variables, SSH keys, shell history, Kubernetes tokens, Docker configurations, API keys, and cloud IMDS credentials.
- Stolen secrets were aggregated and searchable in a password-protected web GUI called NEXUS Listener, which provides analytics and host statistics.
- Cisco Talos observed at least 766 compromised hosts and signs of automated discovery using services like Shodan or Censys.
- Defensive recommendations include enforcing least privilege, enabling secret scanning, implementing IMDSv2 on EC2, avoiding SSH key reuse, and rotating suspected credentials.
Read More: https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html