What happened
Hackers are exploiting React2Shell to run an automated credential theft campaign against vulnerable Next.js applications. The activity centers on CVE-2025-55182 and has already led to the compromise of at least 766 hosts across multiple cloud providers and geographic regions. After identifying exposed Next.js apps, the attackers deploy a script that launches a multi-phase credential harvesting routine from the system’s temporary directory. According to Cisco Talos research, the operation uses a framework called NEXUS Listener to collect and manage stolen data from compromised systems. The harvested information includes database credentials, AWS credentials, SSH private keys, API keys, cloud tokens, environment secrets, Kubernetes tokens, Docker and container details, command history, and process runtime data. The stolen data is then exfiltrated in chunks over HTTP to attacker-controlled infrastructure.
Who is affected
The direct exposure affects organizations running vulnerable Next.js applications exposed to the internet. The campaign targets systems that hold cloud credentials, database access, SSH keys, API secrets, and other server-side sensitive data that can be extracted automatically after exploitation.
Why CISOs should care
This matters because the campaign is built for scale and speed, with attackers able to compromise hundreds of hosts in a short period and pull credentials that could support cloud account takeover, database access, lateral movement, and follow-on supply chain abuse. It also targets server-side secrets that can create broader enterprise risk well beyond the initial vulnerable application.
3 practical actions
- Patch React2Shell immediately: Apply the available security updates for React2Shell in vulnerable Next.js environments without delay.
- Rotate exposed credentials fast: If compromise is suspected, rotate cloud credentials, database credentials, API keys, SSH keys, and other secrets that may have been accessible on affected hosts.
- Reduce secret exposure on servers: Audit what server-side secrets are available to applications at runtime and tighten controls around metadata access, cloud roles, and secret storage.
For more news about software flaws under active exploitation, click Vulnerability to read more.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.