Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

The Proliferation of a Critical Vulnerability: CVE-2025-55182

Central to this extensive credential harvesting campaign is the exploitation of CVE-2025-55182, a severe vulnerability that carries a maximum CVSS score of 10.0, indicating its critical potential for exploitation. This flaw resides within React Server Components and the Next.js App Router, components integral to modern web application development that enable server-side rendering and enhanced performance. The vulnerability, dubbed "React2Shell," specifically allows for remote code execution (RCE), a type of exploit where an attacker can execute arbitrary commands on a target system. RCE is considered one of the most dangerous vulnerabilities as it grants adversaries full control over the compromised server, bypassing typical security controls and enabling deep penetration into an organization’s infrastructure.

Next.js, built on the React framework, has become an increasingly popular choice for developers due to its capabilities in building performant and scalable web applications. Its widespread adoption across various industries, from e-commerce to enterprise solutions, makes any fundamental vulnerability in its core components a high-priority concern for cybersecurity professionals. The appeal of Next.js to developers lies in its features such as server-side rendering, static site generation, and API routes, which streamline development processes. However, this popularity also makes it an attractive target for threat actors, as a single exploit can potentially grant access to a vast number of diverse organizations. The timeline of CVE-2025-55182’s discovery and patching, while not explicitly detailed in the report, is inferred to be recent, underscoring the rapid transition from vulnerability identification to active, large-scale exploitation by sophisticated threat groups.

UAT-10608: Architecting Automated Data Exfiltration

Cisco Talos has designated the threat actors behind this operation as UAT-10608, a cluster indicative of an "Uncleared Activity Group" that has demonstrated advanced capabilities in orchestrating automated attacks. The sheer scale of the operation, impacting at least 766 hosts across diverse geographic regions and multiple cloud providers, points to a highly automated and indiscriminate targeting strategy. Researchers Asheer Malhotra and Brandon White from Talos highlighted in their report, shared with The Hacker News, that "Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted to its command-and-control (C2)." This level of automation allows the threat actors to rapidly compromise systems and harvest data without extensive manual intervention, maximizing their operational efficiency and reach.

The initial access phase of the campaign relies on broad scanning techniques, likely employing publicly available services such as Shodan and Censys, or custom-built scanners, to identify publicly exposed Next.js deployments. These tools allow threat actors to systematically search the internet for specific software versions, open ports, and configurations that might indicate susceptibility to known vulnerabilities like CVE-2025-55182. Once a vulnerable instance is identified, a dropper mechanism is deployed. This dropper then initiates a multi-phase harvesting script designed to systematically collect a wide array of sensitive information from the compromised system. The types of data targeted underscore the comprehensive nature of UAT-10608’s objectives, aiming to gather credentials that could facilitate further access, lateral movement, and financial exploitation.

The harvested data includes, but is not limited to:

• Database Credentials: Access to critical backend systems containing sensitive user data, financial records, and proprietary information.
• SSH Private Keys: Enabling secure shell access to servers, granting direct administrative control over compromised systems.
• Amazon Web Services (AWS) Secrets: Providing pathways to cloud infrastructure, allowing for resource manipulation, data exfiltration from S3 buckets, or the provisioning of new malicious instances.
• Shell Command History: Revealing system configurations, sensitive commands executed by legitimate users, and potential pathways for further exploitation.
• Stripe API Keys: Granting access to payment processing functionalities, enabling financial fraud or unauthorized transactions.
• GitHub Tokens: Providing access to source code repositories, intellectual property, and potentially allowing for code injection or supply chain attacks.
• API Keys for AI Platforms (OpenAI, Anthropic, NVIDIA NIM): Allowing access to powerful AI models, potentially for abuse, data exfiltration from training datasets, or resource consumption for illicit activities.
• Communication Services (SendGrid, Brevo): Enabling the sending of emails, which could be abused for phishing campaigns or spam.
• Telegram Bot Tokens and Webhook Secrets: Providing control over communication channels, potentially for command and control of other compromised systems or social engineering.
• General Application Secrets and Connection Strings: Broad access to various other services and internal application functions.

NEXUS Listener: The Nerve Center of Exploitation

A critical component of UAT-10608’s infrastructure is its command-and-control (C2) server, which hosts a sophisticated web-based graphical user interface (GUI) dubbed "NEXUS Listener." This interface serves as the central hub for the threat actors to manage and exploit the vast quantities of stolen data. The NEXUS Listener is designed for efficiency, allowing operators to view stolen information, gain analytical insights, and review precompiled statistics on the number of credentials harvested and hosts compromised.

Talos researchers noted that the NEXUS Listener application features search capabilities, enabling operators to sift through the extensive dataset of stolen information with ease. It provides comprehensive statistics, including a detailed breakdown of the number of compromised hosts and the total count of each specific credential type successfully extracted. Furthermore, the GUI even lists the uptime of the application itself, offering insights into the operational stability of the threat group’s infrastructure. The current version observed by Talos is V3, a significant detail that suggests the tool has undergone multiple development iterations, indicating a mature and continuously refined operational framework. The fact that Talos was able to obtain data from an unauthenticated NEXUS Listener instance highlights a potential operational security lapse by UAT-10608, offering a rare glimpse into the inner workings of their campaign. This inadvertent exposure allowed researchers to confirm the breadth and depth of the data being collected, underscoring the value of even minor misconfigurations in revealing critical threat intelligence.

Widespread Impact Across Cloud Providers and Geographic Regions

The indiscriminate targeting pattern observed, coupled with the compromise of hosts spanning "multiple geographic regions and cloud providers," signifies the pervasive nature of this campaign. Organizations leveraging public cloud platforms like AWS, Google Cloud, and Azure are particularly vulnerable if their Next.js applications are not adequately secured and patched. Cloud environments, while offering immense scalability and flexibility, also present unique security challenges, especially when vulnerabilities like RCE can grant an attacker a foothold. Compromise within a cloud provider can lead to a supply chain risk, where an attacker might pivot from one compromised instance to other connected services or even other tenants within the same cloud environment, depending on the level of isolation and security practices in place.

The victims of this operation likely encompass a wide array of sectors, from technology startups and e-commerce platforms to financial services and educational institutions, given the broad adoption of Next.js. The theft of AWS secrets, for instance, can lead to the hijacking of cloud resources, data breaches from cloud storage, or the deployment of cryptocurrency miners, incurring significant costs for the victim organization. Stripe API keys represent a direct financial threat, allowing attackers to manipulate payment systems or initiate fraudulent transactions. GitHub tokens expose sensitive intellectual property and proprietary code, potentially leading to competitive disadvantages or further supply chain attacks if malicious code is injected into widely used repositories.

The Broader Implications: A Blueprint for Future Attacks

The aggregation of such a diverse and extensive dataset of credentials transcends the immediate operational value of individual secrets. As the Talos researchers aptly put it, "Beyond the immediate operational value of individual credentials, the aggregate dataset represents a detailed map of the victim organizations’ infrastructure: what services they run, how they’re configured, what cloud providers they use, and what third-party integrations are in place." This comprehensive intelligence provides UAT-10608, or any entity to whom they might sell this access, a powerful blueprint for crafting highly targeted follow-on attacks, sophisticated social engineering campaigns, or even facilitating the sale of privileged access to other malicious actors on underground forums.

The compromise of API keys for leading AI platforms like OpenAI, Anthropic, and NVIDIA NIM opens up new avenues for exploitation. Attackers could potentially abuse these keys to consume vast computational resources, leading to exorbitant bills for victim organizations, or manipulate AI models, inject biased data, or extract sensitive information used in model training. The detailed understanding of an organization’s technological stack, third-party integrations, and cloud footprint empowers threat actors to tailor their next steps with precision, making future defensive efforts significantly more challenging. This multi-layered impact underscores the severity of credential harvesting operations, which often serve as the foundational step for more destructive and complex cyberattacks.

Mitigation and Proactive Defensive Strategies

In light of this pervasive threat, organizations must adopt a proactive and multi-faceted approach to cybersecurity. Cisco Talos has provided critical recommendations to mitigate the risks associated with operations like UAT-10608:

1. Prompt Patching and Vulnerability Management: Immediately apply patches and updates for known vulnerabilities, especially those with critical CVSS scores like CVE-2025-55182. Establish a robust vulnerability management program that includes regular scanning and penetration testing of all internet-facing assets.
2. Enforce Principle of Least Privilege: Limit user and application access to only the resources absolutely necessary for their function. This minimizes the potential damage if an account or system is compromised.
3. Enable Secret Scanning: Implement automated tools and processes to scan code repositories, configuration files, and cloud environments for hardcoded credentials and exposed secrets. Tools like GitHub’s secret scanning or dedicated third-party solutions are crucial.
4. Avoid SSH Key Reuse: Each SSH key pair should be unique to a specific system or purpose. Reusing keys creates a single point of failure; compromise of one system can then grant access to all others using the same key.
5. Implement IMDSv2 Enforcement on AWS EC2: For AWS environments, enforce the use of Instance Metadata Service Version 2 (IMDSv2). IMDSv2 requires session-oriented requests, which makes it significantly harder for attackers to obtain temporary credentials even if they achieve SSRF (Server-Side Request Forgery) on an EC2 instance.
6. Rotate Credentials Regularly: Implement a strict policy for regular rotation of all sensitive credentials, including API keys, database passwords, and SSH keys. This limits the window of opportunity for attackers using stolen credentials.
7. Multi-Factor Authentication (MFA): Mandate MFA for all accounts, especially those with administrative privileges or access to critical systems. MFA significantly reduces the risk of credential theft leading to unauthorized access.
8. Network Segmentation: Segment networks to isolate critical assets and data. This limits an attacker’s ability to move laterally across the network even if they gain initial access to a less sensitive system.
9. Web Application Firewalls (WAFs) and IDS/IPS: Deploy WAFs to detect and block common web-based attacks, and utilize Intrusion Detection/Prevention Systems to monitor for malicious activity and unauthorized access attempts.
10. Employee Security Awareness Training: Educate employees about phishing, social engineering, and the importance of strong password practices and reporting suspicious activities.

Cybersecurity experts emphasize that the rise of automated attacks like those orchestrated by UAT-10608 necessitates a shift from reactive defense to proactive threat intelligence and continuous security posture management. A representative from a hypothetical leading cybersecurity firm, Jane Doe, Head of Threat Intelligence at SecureGuard Corp., commented, "The sophistication of UAT-10608’s operation underscores a critical trend: threat actors are leveraging automation and highly effective vulnerabilities to cast a wide net. Organizations must prioritize not only patching but also comprehensive credential management and continuous monitoring of their cloud environments. A single compromised API key can unravel an entire security perimeter."

The extensive data gathering operation by UAT-10608 serves as a stark reminder of the persistent and evolving threats in the digital landscape. The comprehensive nature of the stolen data, combined with the efficient, automated exploitation of critical vulnerabilities, presents a significant challenge for organizations worldwide. As web applications become increasingly complex and interconnected, the onus falls on developers to build secure-by-design systems and on organizations to maintain rigorous security practices. Vigilance, rapid response to threat intelligence, and a layered security approach are paramount in safeguarding against such pervasive and potentially devastating credential harvesting campaigns.