Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Threat Actors Exploit Vulnerability to Access Next.js Hosts

Threat Actors Exploit Vulnerability to Access Next.js Hosts

Posted on April 2, 2026 By CWS

A significant cybersecurity breach has come to light, with threat actors exploiting a vulnerability known as React2Shell to penetrate Next.js applications. This breach has enabled attackers to extract sensitive data such as database credentials, SSH keys, and API secrets from numerous systems.

Details of the Exploitation

The operation, tracked by Cisco Talos as UAT-10608, has compromised at least 766 hosts across various cloud environments. The attackers utilized automated scripts to exfiltrate credentials and relay them to a command-and-control (C2) server, which uses a graphical interface termed ‘NEXUS Listener’ to manage the stolen data.

The attack primarily targets a critical vulnerability, CVE-2025-55182, in React Server Components and Next.js App Router, which has a CVSS score of 10.0 indicating severe risk. This flaw allows remote code execution, facilitating unauthorized access and subsequent deployment of a collection framework called NEXUS Listener.

Mechanisms of Data Extraction

The threat actors employed a multi-stage script to gather a wide range of data from infected systems. This includes environmental variables, SSH keys, shell history, Kubernetes tokens, and configuration details of Docker containers. Additionally, they harvested API keys and temporary credentials by querying cloud services like AWS and Azure.

The attackers leveraged tools like Shodan and Censys to identify vulnerable Next.js deployments, scanning for exposed systems that could be easily compromised. The NEXUS Listener interface provides a detailed overview of the stolen credentials and compromised hosts, revealing the scale of the operation.

Implications and Recommendations

The breach exposes the breadth of sensitive data that can be accessed by exploiting such vulnerabilities. Organizations are urged to review their security measures, enforce strict privilege policies, and rotate credentials regularly. Implementing security measures such as secret scanning and utilizing IMDSv2 for AWS instances are recommended to mitigate potential threats.

The stolen data not only holds immediate operational value but also offers insights into the targeted organizations’ infrastructure, revealing configurations and third-party integrations. This intelligence can be exploited for further attacks, underscoring the need for robust cybersecurity practices.

The ongoing development of tools like NEXUS Listener highlights the evolving capabilities of cyber attackers, necessitating continuous vigilance and proactive security strategies. Organizations should remain alert to emerging threats and ensure their systems are fortified against potential breaches.

The Hacker News Tags:C2 Server, cloud computing, cloud security, credential theft, CVE-2025-55182, cyber attack, cyber threat, Cybersecurity, data breach, Hacking, Next.js, React2Shell, security patch, threat intelligence, Vulnerability

Post navigation

Previous Post: OpenSSH 10.3 Addresses Key Security Vulnerabilities
Next Post: Boeing RFQ Malware Campaign Exploits DOCX and Python

Related Posts

CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack The Hacker News
Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys The Hacker News
Enhancing Incident Response: Key Operational Essentials Enhancing Incident Response: Key Operational Essentials The Hacker News
CISA Flags VMware Vulnerability Amid Active Exploits CISA Flags VMware Vulnerability Amid Active Exploits The Hacker News
Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088 Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088 The Hacker News
Critical Security Flaws in Hikvision and Rockwell Products Critical Security Flaws in Hikvision and Rockwell Products The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark