CP
cyberpings
Threat IntelHIGH

React2Shell - Researchers Expose Hackers’ Dashboard

Featured image for React2Shell - Researchers Expose Hackers’ Dashboard
CSCSO Online
React2ShellCVE-2025-55182Cisco TalosUAT-10608credential harvesting
🎯

Basically, hackers accidentally exposed their dashboard, revealing stolen data from vulnerable servers.

Quick Summary

Researchers uncovered a dashboard used by hackers exploiting the React2Shell vulnerability. Unpatched servers are at risk, with sensitive credentials being harvested. Immediate action is crucial to prevent data breaches.

What Happened

An apparent security lapse has allowed researchers from Cisco Systems’ Talos threat intelligence team to view the operations of a threat group exploiting the React2Shell vulnerability. This vulnerability affects unpatched servers and enables attackers to steal sensitive data, including login credentials, keys, and tokens, at scale. The researchers discovered that the data harvested by this group, referred to as UAT-10608, was stored in a password-protected database behind a web application that was briefly exposed.

Who's Affected

The attack primarily targets Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution vulnerability. A significant number of organizations using cloud services like AWS, Microsoft Azure, GitHub, and Stripe are at risk. In just 24 hours, the attackers successfully compromised 766 hosts, highlighting the widespread impact of this campaign.

What Data Was Exposed

The exposed dashboard allowed researchers to browse through compromised hosts and view various types of exfiltrated data. This includes:

  • Usernames and passwords
  • SSH keys
  • Cloud tokens
  • Environment secrets The breadth of data harvested underscores the potential for severe damage if these credentials are misused.

What You Should Do

Organizations with unpatched React servers must act quickly to mitigate risks. Here are some recommended actions:

  • Patch Vulnerabilities: Ensure that all systems are updated to address the React2Shell vulnerability.
  • Monitor for Compromised Credentials: Regularly check for any unauthorized access or suspicious activity linked to your accounts.
  • Educate Employees: Inform staff about the risks associated with credential harvesting and the importance of using strong, unique passwords.
  • Implement Multi-Factor Authentication (MFA): This adds an additional layer of security, making it harder for attackers to use stolen credentials.

The Threat

The React2Shell vulnerability has become a prime target for cybercriminals. The attackers exploit this flaw using automated tools, allowing them to scan for and compromise systems rapidly. The campaign is characterized by its indiscriminate targeting, which is likely based on data from services like Shodan and Censys.

Tactics & Techniques

The attackers deploy a multi-phase credential harvesting tool that collects sensitive data from compromised systems. Initially, they send a malicious serialized payload to a server, which, upon deserialization, executes arbitrary code. This leads to the deployment of a harvesting script that systematically extracts data and uploads it to a command and control server.

Defensive Measures

To protect against such attacks, organizations must prioritize patch management and regularly review their security protocols. Continuous monitoring and quick response to vulnerabilities are essential to prevent exploitation. The rapid pace at which attackers can compromise systems emphasizes the need for a proactive security stance.

🔒 Pro insight: The rapid exploitation of React2Shell highlights the critical need for timely patch management to prevent credential harvesting campaigns.

Original article from

CSCSO Online
Read Full Article

Share

Related Pings

HIGHThreat Intel

Axios Maintainer's Post Mortem - Social Engineering Attack Explained

A recent post mortem reveals that the axios maintainer was tricked by UNC1069 into installing malware. This attack underscores the dangers of social engineering in software supply chains. Users must ensure their systems are secure against such threats.

SC Media·
HIGHThreat Intel

Residential Proxies Undermine IP Reputation Systems, Researchers Warn

A new study reveals that residential proxies are severely undermining IP reputation systems, making it hard to identify malicious users. This poses major security risks for businesses relying on these systems. Researchers suggest shifting focus to behavioral analysis for better detection.

SC Media·
HIGHThreat Intel

Supply Chain Attacks - The Developer Credential Economy Emerges

Supply chain attacks are on the rise, targeting developer credentials. Organizations must adapt their security strategies to prevent these threats. Proactive exposure management is essential for defense.

Tenable Blog·
HIGHThreat Intel

China-Linked TA416 Targets European Governments with Phishing

TA416, a China-aligned threat actor, is targeting European governments with sophisticated phishing campaigns using PlugX malware. This poses significant risks to diplomatic security. Stay informed to safeguard your organization.

The Hacker News·
HIGHThreat Intel

Supply Chain Attacks - Protecting Your Organization's Assets

A wave of supply chain attacks has hit major libraries like Axios and Trivy. Organizations must act quickly to secure their systems and protect sensitive data. Vigilance and proactive measures are essential to combat these evolving threats.

Cisco Talos Intelligence·
HIGHThreat Intel

ShinyHunters Issues Final Warning to Cisco Over Data Theft

ShinyHunters has threatened Cisco with data leaks unless they respond by April 3, 2026. This breach could expose millions of records and sensitive information. Companies must enhance their security measures to prevent similar attacks.

SC Media·