Security News Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

Divergent

Divergent

Level 26
Thread author
Verified
Jul 26, 2025
1,481
4,829
2,468
Content source
https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html
A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.

Cisco Talos has attributed the operation to a threat cluster it tracks as UAT-10608. At least 766 hosts spanning multiple geographic regions and cloud providers have been compromised as part of the activity.
Click to expand...

thehackernews.com

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

766 hosts breached via CVE-2025-55182 in Next.js apps, enabling mass credential theft and targeted follow-on attacks.
thehackernews.com thehackernews.com
 
  • Like
Reactions: harlan4096, Halp2001 and simmerskool
Executive Summary

Confirmed Facts
A threat cluster tracked as "UAT-10608" is actively exploiting CVE-2025-55182 (React2Shell) to compromise Next.js hosts and deploy a credential harvesting GUI framework known as "NEXUS Listener."

Assessment
The indiscriminate targeting pattern heavily suggests the use of automated vulnerability scanners to identify publicly exposed web applications, enabling large-scale theft of cloud secrets and database credentials for follow-on attacks.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1190
Exploit Public-Facing Application

T1059.007
Command and Scripting Interpreter: JavaScript

T1552.001
Credentials In Files

T1005
Data from Local System

CVE Profile
CVE-2025-55182
[NVD Score: 10.0]
[CISA KEV Status: Active]

Constraint
The structure of the post-compromise activity suggests a multi-phase extraction script utilizing the Node.js runtime, but without raw binary analysis or explicit IOCs in the provided text, exact file behaviors remain theoretical.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate supply chain risk assessments for all third-party React/Next.js dependencies and engage legal/communications teams if customer PII or financial API keys (e.g., Stripe) were potentially exposed.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM for anomalous child processes spawning from Next.js/Node.js web server environments.

Command
Hunt for unauthorized or unusual access patterns utilizing recently harvested AWS IAM role-associated temporary credentials.

RESPOND (RS) – Mitigation & Containment

Command: Isolate affected Next.js application servers from the production network immediately.

Command
Rotate all potentially exposed secrets, including SSH private keys, database connection strings, GitHub tokens, and communication service APIs.

RECOVER (RC) – Restoration & Trust

Command
Rebuild compromised web servers from known-clean golden images with updated React and Next.js packages.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce IMDSv2 on all AWS EC2 instances to protect instance metadata from SSRF-like or RCE exfiltration.

Command
Implement continuous secret scanning and strict principle of least privilege across cloud environments.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Threat Level
Theoretical/Low. Next.js and React Server Components are enterprise development frameworks and do not exist on a default Windows Home installation.

Command
No internet disconnection required unless you are a developer actively hosting a vulnerable Next.js application directly from your home network.

Priority 2: Identity

Command
If you are a developer who hosted vulnerable personal Next.js projects, reset passwords/MFA using a known clean device (e.g., phone on 5G) and revoke any API keys stored in your local .env files.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for anomalies, though this specific threat operation targets web server infrastructure rather than home desktop persistence.

Hardening & References

Baseline
CIS Benchmarks for Web Server and Cloud Provider (AWS/Azure/GCP) Security.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Cisco Talos Intelligence Group

The Hacker News
Click to expand...
 
  • Like
Reactions: harlan4096

You may also like...