A large-scale credential harvesting operation has been observed, exploiting the React2Shell vulnerability, identified as CVE-2025-55182, to gain unauthorized access to sensitive data. This vulnerability serves as an initial infection vector, allowing attackers to steal valuable information such as database credentials, SSH private keys, and Amazon Web Services (AWS) secrets.
The attack, which has compromised 766 Next.js hosts, also involves the theft of shell command history, Stripe API keys, and GitHub tokens, highlighting the extensive reach of the operation. The attackers’ ability to exploit this vulnerability at scale underscores the importance of prompt patching and robust security measures.
Cisco Talos has attributed this operation to a specific threat cluster, indicating a coordinated effort by the attackers. The use of CVE-2025-55182 as an entry point suggests that the attackers are leveraging known vulnerabilities to achieve their goals, emphasizing the need for vigilance and proactive security practices.
The breach of 766 Next.js hosts using CVE-2025-55182 is a significant incident, with far-reaching implications for the security of web applications and the protection of sensitive data. It serves as a reminder for developers and system administrators to prioritize security updates and to adopt a comprehensive approach to securing their infrastructure.
The exploitation of CVE-2025-55182 in this credential harvesting operation highlights the ongoing challenge of securing web applications against known vulnerabilities. As attackers continue to evolve their tactics, it is essential for organizations to stay informed about potential threats and to implement effective security measures to protect against such attacks.
Source: Original Article
