Automated Credential Theft Campaign Exploits React2Shell (CVE‑2025‑55182) in Next.js Apps
What It Is – A large‑scale, automated threat actor campaign is abusing the React2Shell remote‑code‑execution flaw (CVE‑2025‑55182) in vulnerable Next.js applications to run a credential‑harvesting framework called NEXUS Listener. The attackers scan the internet, compromise hosts, and exfiltrate database passwords, cloud IAM tokens, SSH keys, Kubernetes tokens, and other secrets.
Exploitability – The vulnerability is publicly disclosed, patches are available, and active exploitation has been observed in the wild. Cisco Talos reports at least 766 compromised hosts within a 24‑hour window. CVSS v3.1 ≈ 9.8 (Critical).
Affected Products – Next.js web applications (any stack that bundles React2Shell), typically hosted on AWS, GCP, Azure, or other cloud providers.
TPRM Impact – Compromised third‑party applications can expose downstream customers’ data, enable cloud‑account takeover, and serve as a foothold for supply‑chain attacks against vendors that integrate with the affected services.
Recommended Actions –
- Apply the React2Shell patch to all Next.js deployments immediately.
- Conduct a full credential rotation (AWS/GCP/Azure IAM, database passwords, SSH keys, API tokens).
- Enforce AWS IMDSv2, disable unused metadata endpoints, and restrict IAM permissions.
- Perform forensic scans for NEXUS Listener artifacts and audit server‑side data exposure.
- Implement continuous vulnerability scanning for web frameworks and enforce least‑privilege access controls.
Source: BleepingComputer