Massive Credential Harvesting Operation Exploits CVE-2025-55182 in Next.js Hosts

A recent large-scale credential harvesting operation has been discovered, leveraging the React2Shell vulnerability, also known as CVE-2025-55182, to gain initial access to systems. This vulnerability has been exploited to steal sensitive information, including database credentials, SSH private keys, and cloud service secrets.

The attackers have been targeting Next.js hosts, with a reported 766 hosts breached in the operation. The stolen data includes Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens, highlighting the severity of the breach.

The operation has been attributed to a threat cluster by Cisco Talos, which has been tracking the group’s activities. The fact that the attackers have been able to exploit the React2Shell vulnerability at scale raises concerns about the security of Next.js hosts and the need for prompt patching of the vulnerability.

The exploitation of CVE-2025-55182 is a significant concern, as it allows attackers to gain unauthorized access to sensitive data and systems. The breach highlights the importance of keeping software up to date and implementing robust security measures to prevent such attacks.

The incident also underscores the need for organizations to be vigilant about their security posture, particularly when it comes to open-source software like Next.js. By prioritizing security and taking proactive measures, organizations can reduce the risk of falling victim to similar attacks.

Source: Original Article

Press ESC to close

Share Article:

Tarang Parmar

Cybersecurity Threats Escalate: Pre-Auth Chains, Android Rootkits, and CloudTrail Evasion

Cisco Patches Critical 9.8 CVSS Vulnerability in Integrated Management Controller