Executive Summary
In early April 2026, a threat cluster identified as UAT-10608 launched a global credential theft campaign targeting public-facing Next.js applications vulnerable to the React2Shell flaw (CVE-2025-55182). Exploiting this pre-authentication remote code execution vulnerability, attackers deployed an automated tool named 'NEXUS Listener' to exfiltrate credentials, SSH keys, cloud tokens, and environment secrets from compromised systems. This campaign resulted in the compromise of at least 766 hosts across multiple industries and geographic regions. (darkreading.com)
The React2Shell vulnerability, disclosed in December 2025, allows unauthenticated attackers to execute arbitrary code on servers running vulnerable versions of React Server Components. Despite the availability of patches, many organizations have yet to update their systems, leaving them susceptible to such attacks. (microsoft.com)
Why This Matters Now
The exploitation of the React2Shell vulnerability by UAT-10608 underscores the critical need for organizations to promptly apply security patches. The widespread use of React Server Components means that unpatched systems remain prime targets for credential theft and other malicious activities.
Attack Path Analysis
Attackers exploited the React2Shell vulnerability (CVE-2025-55182) in publicly accessible Next.js applications to gain initial access. They then deployed NEXUS Listener to harvest credentials and secrets, escalating their privileges. Using the stolen credentials, attackers moved laterally across cloud environments. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated to attacker-controlled servers. The campaign resulted in significant data breaches and potential financial losses for affected organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the React2Shell vulnerability (CVE-2025-55182) in publicly accessible Next.js applications to gain initial access.
Related CVEs
CVE-2025-55182
CVSS 10A critical pre-authentication remote code execution vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code on affected servers via a crafted HTTP request.
Affected Products:
Meta React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.x, 16.x
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
JavaScript
Credentials in Files
Web Protocols
Automated Exfiltration
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure through Next.js applications vulnerable to React2Shell CVE-2025-55182, enabling automated credential harvesting campaigns targeting development infrastructure and source code repositories.
Financial Services
High-value targets for credential theft campaigns exploiting web applications, with stolen cloud tokens and SSH keys enabling access to sensitive financial data systems.
Information Technology/IT
Primary attack surface through public-facing web applications and cloud infrastructure, requiring immediate patching of React Server Components vulnerabilities across client environments.
Health Care / Life Sciences
Significant HIPAA compliance risk from credential exfiltration campaigns targeting patient data systems, with automated harvesting tools compromising protected health information access controls.
Sources
- Automated Credential Harvesting Campaign Exploits React2Shell Flawhttps://www.darkreading.com/cyberattacks-data-breaches/automated-credential-harvesting-campaign-react2shellVerified
- Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Componentshttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/Verified
- React2Shell (CVE-2025-55182)https://react2shell.com/Verified
- Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 / CVE-2025-66478)https://www.getastra.com/blog/vulnerability/cve-2025-55182/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial exploitation, it could limit the attacker's ability to exploit vulnerabilities by enforcing strict access controls.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls between workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not eliminate all risks, it could likely reduce the overall impact by limiting the attacker's ability to move laterally and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Web Application Services
- Customer Data Management
- E-commerce Transactions
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of customer credentials, payment information, and sensitive business data.
Recommended Actions
Key Takeaways & Next Steps
- • Patch all Next.js deployments to address CVE-2025-55182 immediately.
- • Rotate all potentially exposed credentials and API keys to mitigate unauthorized access.
- • Implement Zero Trust Segmentation to enforce least-privilege access and limit lateral movement.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
