Photo by Jordan Harrison on Unsplash
What happened
Cisco Talos published research on April 2 revealing that a threat group tracked as UAT-10608 exploited CVE-2025-55182 — nicknamed React2Shell — to compromise at least 766 Next.js servers across multiple cloud providers in a single 24-hour window.
The vulnerability carries a CVSS score of 10.0 (maximum severity). It’s an unsafe deserialization flaw in React Server Components that lets an unauthenticated attacker achieve full remote code execution with a single HTTP POST request. No special configuration is required — a default create-next-app project built for production is exploitable out of the box.
The attackers used automated scanning tools to find vulnerable Next.js deployments, exploited the flaw, dropped multi-stage credential harvesting scripts, and exfiltrated everything to a command-and-control platform called NEXUS Listener — a password-protected web dashboard with searchable stolen credentials, host tracking, and real-time analytics.
What was stolen
From 766 compromised hosts, UAT-10608 harvested:
- Database credentials from 91.5% of targets (connection strings with cleartext passwords)
- SSH private keys from 78.2% of targets
- AWS, Azure, and GCP cloud credentials (including IAM role tokens via IMDS queries)
- Stripe live secret keys and payment processing tokens
- GitHub and GitLab tokens
- API keys for OpenAI, Anthropic, NVIDIA NIM, SendGrid, and Brevo
- Kubernetes service account tokens and Docker configurations
- Shell command history and running process listings
- Telegram bot tokens and webhook secrets
This isn’t just credential theft — it’s a complete infrastructure map of every compromised organization, enabling targeted follow-on attacks, lateral movement, and cloud account takeover.
Why this matters
- CVSS 10.0 — maximum severity: single unauthenticated request, no user interaction, full RCE.
- Default apps are vulnerable: you don’t need to have written a Server Action. The App Router enables the vulnerable code path automatically.
- Nation-state exploitation confirmed: AWS threat intelligence attributes early exploitation to China-nexus groups (Earth Lamia, Jackpot Panda) within hours of disclosure.
- Industrialized at scale: the NEXUS Listener dashboard shows this is not ad-hoc hacking — it’s credential harvesting as a service.
- CISA KEV listed with a 99th-percentile EPSS score, confirming widespread exploitation.
- Cloudflare blocked 582 million exploit attempts in the first week after PoC publication.
How to check if you’re affected
Affected versions
Any Next.js application from version 13.3 onward using the App Router is vulnerable. Specific patched versions:
| Branch | Vulnerable | Patched |
|---|---|---|
| 14.x | 14.0.0 – 14.2.34 | 14.2.35 |
| 15.0.x | 15.0.0 – 15.0.7 | 15.0.8 |
| 15.1.x–15.5.x | All prior | See latest in branch |
| 16.0.x | 16.0.0 – 16.0.10 | 16.0.11 |
| 16.1.x | 16.1.0 – 16.1.4 | 16.1.5 |
Pages Router, Edge Runtime, and Next.js 13.x stable are not affected.
Concrete verification steps (15-minute triage)
Check your Next.js version
npx next --version # or cat package.json | grep '"next"'If running a vulnerable version with App Router enabled, you’re in scope.
Run Vercel’s automated check
npx fix-react2shell-nextSearch logs for exploitation attempts
grep -i "next-action" /var/log/nginx/access.log grep -E "Nuclei.*CVE-2025-55182|React2ShellScanner" /var/log/nginx/access.logLook for POST requests with
Next-Actionheaders from unknown IPs.Check for outbound C2 traffic
- Monitor for unexpected connections on ports 3000–3011 and 8080.
- Review network logs for bulk outbound HTTP POST requests carrying environment data.
If you were unpatched after December 4, 2025 — even briefly — assume compromise. Proceed to credential rotation immediately.
Immediate defensive actions
- Patch now:
npm install next@latestor update to the latest patched version in your branch. - Rotate ALL secrets: database passwords, SSH keys (regenerate — don’t just change passphrases), AWS/Azure/GCP credentials, Stripe keys, GitHub tokens, JWT signing secrets, and every value in your
.envfiles. - Enforce IMDSv2 on AWS to block IMDS credential theft:
aws ec2 modify-instance-metadata-options \ --instance-id i-YOUR_INSTANCE \ --http-tokens required \ --http-endpoint enabled - Enable secret scanning in GitHub/GitLab to detect leaked credentials.
- Apply WAF rules: Cloudflare, AWS WAF, and Vercel all provide React2Shell-specific blocking rules — deploy them as defense-in-depth.
- Audit IAM activity: check AWS CloudTrail, GCP Audit Logs, and Azure Activity Logs for anomalous API calls from compromised credentials.
Sources
- Cisco Talos: UAT-10608 React2Shell Campaign
- The Hacker News: Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts
- BleepingComputer: Hackers Exploit React2Shell Flaw to Compromise 700+ Next.js Hosts
- CISA Known Exploited Vulnerabilities Catalog
- DevOps Daily: CVE-2025-55182 React2Shell Technical Analysis
Bottom line
If you run any Next.js application with the App Router in production, check your version right now. A single unauthenticated HTTP request is all it takes for an attacker to own your server and steal every credential in your environment. The 766 hosts breached in 24 hours are the ones we know about — the real number is almost certainly higher. Patch, rotate secrets, and assume breach if you were exposed.