Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

Hackers have launched a massive credential harvesting campaign targeting Next.js applications, exploiting the critical CVE-2025-55182 vulnerability to compromise 766 hosts across multiple geographic regions and cloud providers. The operation, attributed to threat cluster UAT-10608 by Cisco Talos, has enabled attackers to steal database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens at an industrial scale.

The React2Shell Vulnerability: A Perfect Storm

The attack leverages CVE-2025-55182, a critical flaw in React Server Components and Next.js App Router that carries a CVSS score of 10.0. This vulnerability allows for remote code execution, giving attackers complete control over vulnerable Next.js deployments. The flaw has proven particularly devastating because it affects the core architecture of Next.js applications, making it a prime target for automated scanning and exploitation.

According to Cisco Talos researchers Asheer Malhotra and Brandon White, the attackers use automated scripts to extract and exfiltrate credentials from compromised systems. These stolen credentials are then posted to command-and-control servers, where they're organized and made accessible through a sophisticated web-based graphical user interface called "NEXUS Listener."

The NEXUS Listener Framework

Central to this operation is the NEXUS Listener collection framework, which represents a significant evolution in credential harvesting tools. The current version is V3, indicating substantial development iterations before reaching its current state. This password-protected web application provides operators with a comprehensive dashboard featuring search capabilities, statistical insights, and analytical tools.

The interface displays critical metrics including the number of compromised hosts and the total count of each credential type successfully extracted. Operators can browse through all compromised hosts and view the application's uptime, suggesting a well-maintained and actively developed infrastructure.

What Attackers Are Stealing

The breadth of data collection is particularly concerning. The multi-phase harvesting script deployed by the attackers collects:

• Environment variables and JSON-parsed environment data from JavaScript runtime
• SSH private keys and authorized_keys files
• Shell command history
• Kubernetes service account tokens
• Docker container configurations including running containers, images, exposed ports, network configurations, mount points, and environment variables
• API keys from various services
• IAM role-associated temporary credentials by querying Instance Metadata Service for AWS, Google Cloud, and Microsoft Azure
• Running processes

Cisco Talos researchers obtained access to an unauthenticated NEXUS Listener instance, revealing API keys associated with Stripe, artificial intelligence platforms (OpenAI, Anthropic, and NVIDIA NIM), communication services (SendGrid and Brevo), Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, database connection strings, and other application secrets.

How the Attack Works

The campaign employs a dropper mechanism that deploys the harvesting script after initial exploitation. The attackers appear to be using automated scanning services like Shodan, Censys, or custom scanners to identify publicly reachable Next.js deployments and probe them for the vulnerability. This indiscriminate targeting pattern suggests a broad, opportunistic approach rather than focused attacks on specific organizations.

Once a vulnerable host is identified and compromised, the attackers establish persistent access and begin the systematic collection of credentials. The stolen data is then organized and made available through the NEXUS Listener interface, allowing operators to efficiently search and analyze the harvested information.

The Strategic Value of Stolen Data

Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of victim organizations' infrastructure. This includes what services they run, how they're configured, what cloud providers they use, and what third-party integrations are in place. Such intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors.

The scale and sophistication of this operation demonstrate how bad actors are weaponizing access to compromised hosts to stage follow-on attacks. The combination of a critical vulnerability, automated exploitation, comprehensive data collection, and a user-friendly interface creates a powerful tool for credential harvesting at scale.

Protection and Mitigation Strategies

Organizations running Next.js applications should take immediate action to protect their environments. Cisco Talos recommends several critical steps:

Immediate Actions:

• Audit environments to enforce the principle of least privilege
• Enable secret scanning across all systems
• Avoid reusing SSH key pairs across different environments
• Implement IMDSv2 enforcement on all AWS EC2 instances
• Rotate credentials if compromise is suspected

Long-term Security Measures:

• Apply patches for CVE-2025-55182 immediately
• Implement network segmentation to limit lateral movement
• Deploy intrusion detection systems to identify suspicious activity
• Conduct regular security audits and penetration testing
• Monitor for unusual outbound network traffic that might indicate data exfiltration

Cloud Security Best Practices:

• Use temporary credentials with short expiration times
• Implement multi-factor authentication for all administrative access
• Regularly review and revoke unused service accounts and API keys
• Enable logging and monitoring for all cloud services
• Consider using cloud security posture management tools

The scale of this campaign - affecting 766 hosts across multiple regions and cloud providers - underscores the importance of proactive security measures. Organizations cannot afford to wait until they're compromised before taking action.

The Broader Implications

This credential harvesting operation represents a concerning trend in cybercrime: the industrialization of data theft. The attackers have created a sophisticated, automated system that can identify vulnerable targets, exploit them, collect valuable data, and organize it in a way that maximizes its utility and value.

The use of a graphical user interface for credential management suggests that this operation may be part of a larger ecosystem where stolen credentials are bought, sold, or traded. The detailed infrastructure mapping capability means that even if individual credentials are changed, the attackers retain valuable intelligence about the victim's environment that can be used for future attacks.

As organizations continue to adopt cloud-native architectures and microservices, the attack surface for credential harvesting operations will likely expand. The success of this campaign against Next.js applications may encourage similar attacks targeting other popular frameworks and platforms.

The discovery of this large-scale operation serves as a stark reminder that critical vulnerabilities require immediate attention. Organizations running Next.js applications should prioritize patching CVE-2025-55182 and implementing the recommended security measures to protect their environments from this and similar credential harvesting campaigns.