Mass Credential Theft Campaign Exploits Next.js CVE-2025-55182 Across 766 Hosts

CVE-2025-55182, dubbed "React2Shell," is a critical remote code execution vulnerability in Next.js applications that has been weaponized by threat cluster UAT-10608 in a large-scale credential harvesting campaign. The attackers have compromised at least 766 publicly reachable Next.js deployments, likely identified through internet scanning services like Shodan or Censys. Stolen data includes database credentials, SSH private keys, AWS access secrets, shell command history, Stripe API keys, and GitHub tokens. The threat actors use automated scripts and a web-based GUI called NEXUS Listener to manage and organize the stolen data. CISA has added CVE-2025-55182 to its KEV catalog. Organizations running Next.js applications should immediately audit their deployments for compromise, rotate all credentials, and apply available patches. Indicators of compromise include unusual outbound connections and unauthorized access to cloud resources.