A recent alert from Cisco’s Talos security team highlights a significant cybersecurity threat involving the exploitation of vulnerable Next.js applications. Identified as UAT-10608, the malicious actors behind this campaign are using vulnerabilities in these applications to gather credentials on a large scale.
Understanding the React2Shell Vulnerability
The attackers are capitalizing on a critical vulnerability, CVE-2025-55182, which is commonly referred to as React2Shell by the cybersecurity community. This flaw, with a CVSS score of 10, enables remote and unauthenticated attackers to execute arbitrary code. By leveraging automated scanning, the attackers identify systems susceptible to this exploit.
Once access is obtained, the attackers deploy automated scripts and utilize the Nexus Listener framework to collect a variety of sensitive data, including cloud tokens, SSH keys, and environment secrets. Talos reports that at least 766 systems have been compromised, resulting in the collection of over 10,000 files.
Attack Methodology and Impact
The scale of this attack is highlighted by the indiscriminate nature of its targeting, likely facilitated through host profile data from services like Shodan and Censys. These tools help enumerate publicly accessible Next.js deployments, which are then probed for vulnerabilities related to the React configuration.
The adversaries employ an automated script for a multi-phase data collection process. This script iterates through various data points such as running processes, JavaScript runtime, and cloud metadata APIs. The collected data is then sent to a command-and-control server via the Nexus Listener web application.
Consequences and Recommendations
Among the exfiltrated data are keys for AI platforms, AWS, and other critical services, along with GitHub tokens and database secrets. Talos discovered an exposed Nexus Listener instance that provided insight into the scale of the compromise, revealing that 766 hosts were affected within just one day.
Given the sensitive nature of the information collected, all compromised credentials and secrets should be rotated immediately to prevent further breaches. Failure to do so could result in supply chain attacks, unauthorized system access, and significant compliance issues.
Organizations are urged to review their security measures and patch known vulnerabilities promptly to prevent such exploits. Staying informed and proactive is crucial in mitigating risks associated with these large-scale credential harvesting campaigns.
