Hackers are using automated scans to exploit React2Shell (CVE-2025-55182) in vulnerable Next.js apps and run a large-scale credential-harvesting campaign that compromised at least 766 hosts to steal environment secrets, SSH keys, API keys, cloud tokens, and database credentials. Cisco Talos links the operation to the UAT-10608 cluster and warns defenders to patch React2Shell, rotate credentials, enable AWS IMDSv2, and deploy WAF/RASP and secret-scanning to limit impact. #React2Shell #NEXUSListener
Keypoints
- The campaign exploits React2Shell (CVE-2025-55182) in Next.js applications to achieve remote code execution.
- At least 766 cloud-hosted systems were compromised to collect environment variables, SSH keys, API keys, and cloud credentials.
- Attackers used an automated framework called NEXUS Listener to exfiltrate secrets in chunks over HTTP to a C2 server.
- Cisco Talos attributes the activity to threat cluster UAT-10608 after analyzing an exposed NEXUS Listener instance.
- Defensive actions include applying the React2Shell patch, rotating credentials, enforcing IMDSv2, enabling secret scanning, and deploying WAF/RASP and least-privilege controls.