Hackers Exploit React2Shell CVE-2025-55182 to Steal Next.js Credentials

A large-scale credential harvesting operation is currently targeting Next.js applications by exploiting a critical vulnerability known as React2Shell. The flaw, identified as CVE-2025-55182, allows attackers to achieve remote code execution (RCE) on vulnerable hosts, which is then used as an initial infection vector to steal sensitive data at scale.

Security researchers from Cisco Talos have attributed this activity to a threat cluster tracked as UAT-10608. At least 766 hosts across multiple cloud providers and geographic regions have been compromised as part of this campaign.

Technical Analysis of CVE-2025-55182

CVE-2025-55182 is a pre-authentication remote code execution vulnerability affecting React Server Components and the Next.js App Router. The vulnerability has been assigned a CVSS score of 10.0, the highest possible severity rating.

According to analysis by Trend Research, the exploit leverages JavaScript’s duck-typing and dynamic code execution through a four-stage process. The attack begins by creating a self-reference loop, which tricks JavaScript into calling attacker-controlled code. The attackers then inject malicious data for initialization and finally execute arbitrary code via a Blob Handler.

Trend Research noted that as of December 10, 2025, there were nearly 145 in-the-wild proof-of-concept exploits, some of which included features for automated mass-scanning and WAF bypasses.

The NEXUS Listener Framework

Once initial access is gained via React2Shell, the threat actor UAT-10608 deploys a collection framework called NEXUS Listener. This framework uses automated scripts placed in the standard temporary directory of the compromised host to execute a multi-phase credential-harvesting routine.

The stolen data is exfiltrated in chunks via HTTP requests over port 8080 to a command-and-control (C2) server. The C2 server features a web-based graphical user interface (GUI) that allows attackers to view stolen information and gain analytical insights using precompiled statistics on the harvested credentials and compromised hosts.

Scope of Stolen Data

The automated scripts used by UAT-10608 are designed to extract a wide array of sensitive information from various applications. The data targeted in these breaches includes:

• Environment variables and secrets, including database credentials, Stripe API keys, and GitHub or GitLab tokens.
• SSH private keys.
• Cloud credentials, such as Amazon Web Services (AWS) secrets, Google Cloud Platform (GCP) and Azure metadata, and IAM credentials.
• Kubernetes tokens and Docker or container information.
• Shell command history, process data, and runtime data.

The breadth of this data collection enables the attackers to conduct targeted follow-on attacks against the cloud infrastructure and third-party services linked to the compromised Next.js applications.

Broader Threat Landscape

Beyond the UAT-10608 cluster, Trend Research has observed CVE-2025-55182 being utilized in other malware campaigns, specifically the emerald and nuts campaigns. These separate attacks have been seen deploying various payloads, including Cobalt Strike beacons generated with Cross C2, the Sliver payload, the Secret-Hunter payload, Nezha, and Fast Reverse Proxy (FRP).

Organizations utilizing Next.js are advised to patch their systems to mitigate the risk of pre-authentication RCE. Trend Research has warned that publicly accessible infrastructure remains subject to targeted scanning from both threat actors and bug bounty hunters.