Automated Credential Harvesting Campaign Exploits React2Shell Flaw
Summary
Researchers at Cisco Talos have uncovered a global, cross-industry campaign (tracked as UAT-10608) that exploits the React2Shell vulnerability (CVE-2025-55182) in public-facing Next.js/React Server Component deployments. Attackers use an automated scanner to find vulnerable endpoints, trigger pre-authentication remote code execution, and then install an automated credential-harvesting framework called “NEXUS Listener.”
NEXUS Listener acts as both a command-and-control platform and an analytics dashboard: it collects credentials, SSH keys, cloud tokens and environment secrets at scale and presents them in a searchable GUI, making stolen secrets far more operationally useful. Cisco reports at least 766 compromised hosts across multiple regions and cloud providers at the time of their write-up.
Key Points
- The campaign targets Next.js apps vulnerable to React2Shell (CVE-2025-55182), exploiting server-side deserialisation to gain RCE.
- Attackers use automated scanning (likely Shodan/Censys or custom scanners) to enumerate public Next.js deployments and probe for the flaw.
- After exploitation, the NEXUS Listener framework automatically harvests and indexes credentials, SSH keys, cloud tokens and environment secrets.
- NEXUS provides a GUI with search and analytics, turning harvested secrets into a structured intelligence dataset for follow-on attacks or resale.
- Cisco Talos observed at least 766 affected hosts spanning multiple geographies and cloud environments.
- Defensive actions include patching CVE-2025-55182, rotating exposed credentials, enforcing least-privilege, restricting cloud metadata access and implementing secrets scanning and anomaly monitoring.
- Indicators to hunt for: unexpected /tmp processes with random dot-prefixed names, unexplained nohup usages, unusual outbound HTTP/S from app containers, and __NEXT_DATA__ containing server-side secrets in rendered HTML.
Context and relevance
This attack amplifies a continuing trend where single deserialisation or server-side flaws (here in modern React Server Components/Next.js) are weaponised at scale via automation. The combination of a pre-auth RCE and an automated secrets-harvester greatly raises the impact: once inside, attackers can map infrastructure, pivot, and monetise access quickly. If your organisation runs Next.js or RSC-based frameworks on public endpoints, this is directly relevant.
Why should I read this?
Short version: if you run Next.js apps, this isn’t hypothetical — it’s happening now. Talos’ findings show attackers are automating the whole pipeline: find, exploit, harvest, and catalogue. We’ve read the tech detail so you don’t have to. Patch, rotate keys, and hunt for the artefacts listed above — pronto.