CVE-2025-55182
A large-scale credential-harvesting campaign has been identified leveraging the React2Shell vulnerability as its primary infection vector. This operation targets vulnerable Next.js applications, specifically exploiting CVE-2025-55182, a critical flaw with a CVSS score of 10.0 affecting React Server Components and the Next.js App Router. Successful exploitation enables remote code execution, allowing attackers to gain an initial foothold within targeted systems.
Security researchers have attributed this activity to a threat cluster tracked as UAT-10608. The campaign has already compromised at least 766 hosts across multiple geographic regions and cloud environments, demonstrating both scale and operational reach.
Table of Contents
Automated Intrusion at Scale: Broad and Indiscriminate Targeting
The attack pattern reflects highly automated reconnaissance and exploitation techniques. Threat actors are believed to rely on large-scale scanning tools such as Shodan, Censys, or custom-built scanners to identify publicly exposed Next.js deployments susceptible to the vulnerability.
This indiscriminate targeting strategy enables rapid identification of vulnerable systems, significantly increasing the success rate and scale of compromise.
Multi-Stage Payload Deployment: From Access to Data Harvesting
Following initial compromise, a dropper is deployed to install a multi-phase harvesting framework known as NEXUS Listener. This framework orchestrates automated scripts designed to extract sensitive data from infected systems and exfiltrate it to a centralized Command-and-Control (C2) infrastructure.
The harvesting process is extensive and systematically collects:
- Environment variables and JSON-parsed runtime configurations
- SSH private keys and authorized_keys files
- Shell command histories and running process details
- Kubernetes service account tokens and Docker container configurations
- API keys, database credentials, and cloud service secrets
- Temporary IAM credentials retrieved via cloud metadata services (AWS, Google Cloud, Microsoft Azure)
NEXUS Listener: Centralized Intelligence and Control
At the core of the operation is the NEXUS Listener, a password-protected web-based application hosted on the attackers’ C2 infrastructure. This interface provides operators with a comprehensive graphical dashboard to monitor and analyze stolen data.
Key capabilities of the platform include:
- Real-time visibility into compromised hosts and harvested credentials
- Search functionality for efficient data filtering and analysis
- Aggregated statistics detailing credential types and volumes
- System metrics such as application uptime and operational status
The currently observed version, NEXUS Listener V3, indicates ongoing development and refinement, suggesting a mature and evolving toolset.
Exposure of High-Value Secrets: A Dangerous Data Cache
In some instances, misconfigured or unauthenticated NEXUS Listener panels have exposed a wide array of sensitive credentials. These include API keys tied to financial services like Stripe, artificial intelligence platforms such as OpenAI, Anthropic, and NVIDIA NIM, as well as communication services including SendGrid and Brevo.
Additional exposed assets include Telegram bot tokens, webhook secrets, GitHub and GitLab tokens, and database connection strings. This breadth of compromised data significantly amplifies the potential for downstream attacks.
Strategic Impact: Mapping Entire Infrastructure Ecosystems
Beyond individual credentials, the aggregated data provides a detailed blueprint of victim environments. Attackers gain visibility into deployed services, configuration patterns, cloud providers in use, and third-party integrations.
Such intelligence enables highly targeted follow-on operations, including lateral movement, privilege escalation, social engineering campaigns, or the resale of access to other threat actors.
Defensive Imperatives: Mitigating Risk and Limiting Exposure
The scale and depth of this campaign underscore the necessity for proactive security measures. Organizations must prioritize rigorous environment auditing and credential management practices to reduce exposure.
Recommended actions include:
- Enforcing the principle of least privilege across all systems and services
- Enabling automated secret scanning to detect exposed credentials
- Avoiding reuse of SSH key pairs across environments
- Enforcing IMDSv2 on all AWS EC2 instances to protect metadata access
- Rotating all credentials immediately if compromise is suspected
A disciplined approach to access control and continuous monitoring is essential to defend against increasingly automated and large-scale credential harvesting operations.
