766 Systems Breached Through React2Shell in Automated Credential Harvesting Campaign

A sophisticated threat actor has compromised at least 766 systems through automated exploitation of the React2Shell vulnerability, harvesting over 10,000 sensitive files containing cloud credentials, API tokens, and payment processor keys. The campaign demonstrates how critical infrastructure flaws can enable systematic credential theft at unprecedented scale.

React2Shell (CVE-2025-55182) is a critical vulnerability in Next.js applications that allows remote unauthenticated code execution with a maximum CVSS score of 10.0. The flaw enables attackers to execute arbitrary commands on affected systems without requiring any form of authentication or user interaction.

Key Facts:
- UAT-10608 compromised 766 systems using automated React2Shell exploitation
- Over 10,000 files harvested containing AWS credentials, SSH keys, and API tokens
- NEXUS Listener framework deployed for persistent credential collection
- CVE-2025-55182 carries maximum CVSS score of 10.0 for remote code execution

According to reporting from Security Week, the threat actor UAT-10608 deployed the NEXUS Listener framework to systematically harvest credentials from compromised systems. The collected data included AWS access keys, SSH private keys, API tokens from OpenAI and Anthropic, and payment processor credentials including Stripe authentication tokens.

How Automated Scanning Enables Mass Compromise

The campaign's success relied on automated vulnerability scanning to identify vulnerable Next.js applications across the internet. Once identified, the attackers used CVE-2025-55182 to gain immediate system access without triggering traditional authentication controls. The NEXUS Listener framework then provided persistent access for ongoing credential harvesting operations.

This approach mirrors recent supply chain attacks that have compromised hundreds of thousands of systems, highlighting how automated exploitation tools enable threat actors to operate at industrial scale. The NCSC has consistently warned that automated scanning represents a fundamental shift in threat actor capabilities, moving from targeted attacks to mass compromise operations.

Why Traditional Security Controls Failed

The React2Shell vulnerability bypasses standard authentication mechanisms entirely, rendering perimeter security controls ineffective. Unlike social engineering attacks that require user interaction, CVE-2025-55182 enables direct system compromise through network-accessible application interfaces.

The 10.0 CVSS score reflects the vulnerability's ability to provide complete system compromise with minimal complexity. ISO 27001 frameworks require organisations to maintain vulnerability management processes, but the automated nature of this campaign compressed typical detection and response timeframes from days to hours.

Boardroom Questions

• How quickly can our IT team identify and patch Next.js applications following critical vulnerability disclosures?
• What monitoring capabilities do we have for detecting unauthorised credential access and exfiltration?
• Are our cloud service credentials subject to regular rotation and access review processes?

Quick Diagnostic

• Do you maintain an inventory of all Next.js applications in your technology estate?
• Are your AWS and cloud service credentials monitored for unauthorised usage?
• Can your security team detect and respond to automated vulnerability scanning within 24 hours?