Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Threat Actors Exploit Vulnerability to Access Next.js Hosts

Threat Actors Exploit Vulnerability to Access Next.js Hosts

Posted on April 2, 2026 By CWS

A significant cybersecurity breach has come to light, with threat actors exploiting a vulnerability known as React2Shell to penetrate Next.js applications. This breach has enabled attackers to extract sensitive data such as database credentials, SSH keys, and API secrets from numerous systems.

Details of the Exploitation

The operation, tracked by Cisco Talos as UAT-10608, has compromised at least 766 hosts across various cloud environments. The attackers utilized automated scripts to exfiltrate credentials and relay them to a command-and-control (C2) server, which uses a graphical interface termed ‘NEXUS Listener’ to manage the stolen data.

The attack primarily targets a critical vulnerability, CVE-2025-55182, in React Server Components and Next.js App Router, which has a CVSS score of 10.0 indicating severe risk. This flaw allows remote code execution, facilitating unauthorized access and subsequent deployment of a collection framework called NEXUS Listener.

Mechanisms of Data Extraction

The threat actors employed a multi-stage script to gather a wide range of data from infected systems. This includes environmental variables, SSH keys, shell history, Kubernetes tokens, and configuration details of Docker containers. Additionally, they harvested API keys and temporary credentials by querying cloud services like AWS and Azure.

The attackers leveraged tools like Shodan and Censys to identify vulnerable Next.js deployments, scanning for exposed systems that could be easily compromised. The NEXUS Listener interface provides a detailed overview of the stolen credentials and compromised hosts, revealing the scale of the operation.

Implications and Recommendations

The breach exposes the breadth of sensitive data that can be accessed by exploiting such vulnerabilities. Organizations are urged to review their security measures, enforce strict privilege policies, and rotate credentials regularly. Implementing security measures such as secret scanning and utilizing IMDSv2 for AWS instances are recommended to mitigate potential threats.

The stolen data not only holds immediate operational value but also offers insights into the targeted organizations’ infrastructure, revealing configurations and third-party integrations. This intelligence can be exploited for further attacks, underscoring the need for robust cybersecurity practices.

The ongoing development of tools like NEXUS Listener highlights the evolving capabilities of cyber attackers, necessitating continuous vigilance and proactive security strategies. Organizations should remain alert to emerging threats and ensure their systems are fortified against potential breaches.

The Hacker News Tags:C2 Server, cloud computing, cloud security, credential theft, CVE-2025-55182, cyber attack, cyber threat, Cybersecurity, data breach, Hacking, Next.js, React2Shell, security patch, threat intelligence, Vulnerability

Post navigation

Previous Post: OpenSSH 10.3 Addresses Key Security Vulnerabilities
Next Post: Boeing RFQ Malware Campaign Exploits DOCX and Python

Related Posts

Smart TV Proxyware and AI in Cybercrime: Key Updates Smart TV Proxyware and AI in Cybercrime: Key Updates The Hacker News
Critical MOVEit Automation Flaw Patches Released by Progress Critical MOVEit Automation Flaw Patches Released by Progress The Hacker News
Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More The Hacker News
Choosing the Right Exposure Management Platform Choosing the Right Exposure Management Platform The Hacker News
New SparkCat Malware Targets Crypto Wallets on Mobile Apps New SparkCat Malware Targets Crypto Wallets on Mobile Apps The Hacker News
Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks
  • AI Code Editor Vulnerabilities Risk OS-Level Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Top Post-Quantum Cryptographic Solutions for 2026
  • Armored Likho’s BusySnake Threatens Government and Energy Sectors
  • Scammers Exploit Brand Trust to Lure Casino Traffic
  • FBI Alerts on TeamPCP’s Widespread Developer Tool Attacks
  • AI Code Editor Vulnerabilities Risk OS-Level Attacks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark