Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
UAT-10608 كايستغل ثغرة خطيرة فـ Next.js (CVE-2025-55182) باش يسيطر على أكثر من 766 سيرفور
UAT-10608 Exploits Critical Next.js Vulnerability (CVE-2025-55182) to Hijack 766+ Hosts
TL;DR: A threat cluster identified as UAT-10608 is conducting a massive credential harvesting campaign by exploiting a CVSS 10.0 vulnerability (CVE-2025-55182) in Next.js. Using a custom framework called "NEXUS Listener," the attackers have compromised at least 766 hosts to steal SSH keys, AWS secrets, Stripe API keys, and more.
Researchers from Cisco Talos have uncovered a sophisticated, large-scale operation targeting Next.js applications. The campaign leverages a critical remote code execution (RCE) flaw to deploy an automated collection framework designed to strip compromised servers of every valuable credential and configuration file available.
The activity has been attributed to a threat cluster tracked as UAT-10608. To date, the group has successfully breached at least 766 hosts across various geographic regions and cloud providers.
Understanding the Initial Vector: CVE-2025-55182
The infection begins with the exploitation of CVE-2025-55182, also known as the React2Shell vulnerability. This flaw sits within React Server Components and the Next.js App Router.
With a perfect CVSS score of 10.0, the vulnerability allows for unauthenticated remote code execution. Attackers are reportedly using automated scanning tools—potentially leveraging services like Shodan or Censys—to find publicly reachable Next.js deployments and probe them for this specific weakness.
The NEXUS Listener Framework
Once initial access is gained, UAT-10608 deploys a dropper that installs a multi-phase harvesting script. This script is part of a framework the researchers call NEXUS Listener.
The framework is highly organized, featuring a password-protected web-based GUI (currently at version V3) that allows attackers to view stolen information and analytical insights. The "NEXUS Listener" dashboard provides statistics on:
- Total number of compromised hosts.
- The count of each credential type harvested.
- Searchable databases of exfiltrated data.
- Application uptime for the C2 infrastructure.
What is Being Stolen?
The automated scripts are designed to be exhaustive. Cisco Talos found that the following data points are being exfiltrated to the attackers' Command-and-Control (C2) servers:
- Cloud & Infrastructure: AWS, Google Cloud, and Microsoft Azure temporary credentials (via Instance Metadata Service queries), Kubernetes service account tokens, and Docker container configurations.
- Access Keys: SSH private keys,
authorized_keys, GitHub, and GitLab tokens. - Financial & Service APIs: Stripe API keys, OpenAI, Anthropic, and NVIDIA NIM keys, and communication tokens for SendGrid, Brevo, and Telegram.
- System Intelligence: Shell command history, environment variables (JSON-parsed), running processes, and database connection strings.
The Broader Impact
Beyond the immediate threat of stolen API keys, the aggregate data provides UAT-10608 with a "detailed map" of victim organizations.
"This intelligence has significant value for crafting targeted follow-on attacks, social engineering campaigns, or selling access to other threat actors," noted researchers Asheer Malhotra and Brandon White. By understanding a company's cloud provider, third-party integrations, and network configurations, attackers can move laterally or escalate privileges with high precision.
Mitigation and Defense
Given the automated nature of these attacks and the critical severity of the React2Shell vulnerability, organizations using Next.js are urged to take immediate action:
- Patch Immediately: Ensure Next.js deployments are updated to versions that remediate CVE-2025-55182.
- Enforce Least Privilege: Limit the permissions associated with service accounts and API keys.
- Secure Metadata Services: Implement IMDSv2 enforcement on all AWS EC2 instances to prevent the unauthorized retrieval of temporary credentials.
- Credential Hygiene: Rotate SSH key pairs and any secrets (Stripe, GitHub, etc.) if a compromise is suspected or if a vulnerable version of Next.js was publicly exposed.
- Scan for Secrets: Enable automated secret scanning to detect if credentials have been accidentally committed to code or stored in plaintext in vulnerable directories.
Source: The Hacker News - Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
