CVE-2025-55182 - Hackers Breach 766 Next.js Hosts
Basically, hackers found a way to steal passwords and secrets from many websites using a serious flaw in their code.
Hackers have exploited a critical vulnerability in Next.js, breaching 766 hosts and stealing sensitive credentials. Organizations must take swift action to mitigate risks and secure their systems.
What Happened
A significant credential harvesting operation has emerged, exploiting the React2Shell vulnerability (CVE-2025-55182) to breach 766 Next.js hosts. This operation has been attributed to a threat cluster known as UAT-10608 by Cisco Talos. The attackers are using automated scripts to extract sensitive information, including database credentials, SSH private keys, AWS secrets, and more.
The Flaw
CVE-2025-55182 is a critical vulnerability with a CVSS score of 10.0. It affects React Server Components and the Next.js App Router, allowing remote code execution. This flaw serves as the initial access point for attackers, enabling them to deploy a collection framework named NEXUS Listener.
What's at Risk
The compromised hosts span multiple geographic regions and cloud providers. The attackers harvest a wide variety of sensitive data, such as:
- Environment variables
- SSH private keys
- API keys (including Stripe and GitHub tokens)
- Kubernetes service account tokens
- Docker configurations This extensive data gathering poses a significant risk to organizations, as it provides a detailed map of their infrastructure.
Tactics & Techniques
The attackers utilize automated scanning tools to identify vulnerable Next.js deployments. Once access is gained, they deploy a multi-phase harvesting script to collect various details from the compromised systems. The NEXUS Listener GUI allows operators to view and analyze the stolen information, including statistics on the number of hosts compromised and types of credentials extracted.
Defensive Measures
Organizations are urged to take immediate action to protect themselves:
- Audit your environments to enforce the principle of least privilege.
- Enable secret scanning to detect exposed credentials.
- Avoid reusing SSH key pairs and implement IMDSv2 enforcement on AWS EC2 instances.
- Rotate credentials if a compromise is suspected.
The aggregate dataset from this breach not only represents immediate operational value but also provides intelligence for potential follow-on attacks. This emphasizes the importance of robust security measures to safeguard sensitive information and infrastructure.