Massive Credential Harvesting Operation Exploits CVE-2025-55182 in Next.js Hosts

A recent large-scale credential harvesting operation has been discovered, leveraging the React2Shell vulnerability to gain initial access and steal sensitive information from 766 Next.js hosts.

The attackers have been exploiting the CVE-2025-55182 vulnerability to steal a wide range of credentials, including database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens.

Cisco Talos has attributed this operation to a specific threat cluster, highlighting the sophistication and organization of the attackers.

The React2Shell vulnerability, also known as CVE-2025-55182, has been identified as the initial infection vector for this operation, allowing attackers to gain a foothold in the targeted systems.

The scale of this operation is significant, with 766 Next.js hosts compromised, and the variety of stolen credentials suggests that the attackers are highly motivated to gain access to sensitive information.

Organizations using Next.js hosts should take immediate action to patch the CVE-2025-55182 vulnerability and implement additional security measures to prevent similar attacks in the future.

Source: Original Article

Press ESC to close

Share Article:

Tarang Parmar

Latest Cyber Threats: Pre-Auth Chains, Android Rootkits, and CloudTrail Evasion

Cisco Patches Critical IMC and SSM Vulnerabilities with 9.8 CVSS Score