A complete look at the CVE-2025-55182 React2Shell vulnerability that let the hacker group UAT-10608 break into 766 Next.js servers around the world in less than 24 hours. They stole database passwords, AWS secrets, SSH keys GitHub tokens and Stripe API keys on a high scale never seen before using a fully automated attack and a custom credential dashboard called NEXUS Listener.Let see how hackers do this and what is the cve-2025-55182 React2Shell vulnerability.
CVE-2025-55182 : The hackers took down 766 servers
The night of April 3, 2026 when two security researchers from Cisco Talos Asheer Malhotra and Brandon White, published a report that shook the entire cybersecurity world.They reported that a new and dangerous vulnerability, registered as CVE-2025-55182, had compromised 766 servers running Next.js in just one day.
And all this happened so quietly that the server owners were not even aware of it. No alarms were raised and no alerts were issued just an automated script that was attacking one server after another and leaving everything behind.This was not a hack this was a digital robbery planned polished and absolutely professional.
What is CVE-2025-55182 : and why do people call it React2Shell?
First, lets understand what is Next.js is. Its a web framework that developers worldwide use to build modern websites.Millions of websites run on it from startups to large tech companies. All websites use it framework.
CVE-2025-55182 was hidden with in this framework in a location called React Server Components.This is the part that runs on the server and sends results to the user’s browser. Another name for this vulnerability is React2Shell. Its CVSS score was 10 out of 10 which means the worst possible score in the security language.
This simply means that because of this flaw any attacker could run their code on your server without a password or login simply by sending a specially crafted web request.The server would remain undetected and someone from outside would be able to control the entire machine.This vulnerability allow the attacker to do anything like steal passwords API keys or databases.
Attacker Identification : The whole story of UAT-10608
The group behind this attack was tracked by Cisco Talos under the name UAT-10608. These were not random script kiddies experimenting from home.This was an organized threat cluster that had planned everything in advance. They used tools like Shodan Censys and fofa which are services that scan for openly exposed servers on the Internet and maintain their database.
Using these tools UAT-10608 compiled a list of all Next.js applications vulnerable to CVE-2025-55182. Then without wasting any time they releasedthe automated scripts that began hitting servers one after another. The entire operation was so fast that 766 servers were compromised within 24 hours. Humans cannot accomplish this only machines are capable of such speed. Hackers used very high-level scripting and automation which is clear in their attacks.
Step-by-Step Technical Analysis Of This Attack Methodology
In the first step the attacker exploited the vulnerability and achieved remote code execution on the server meaning the server and now obeyed his orders.In the second step a malicious dropper script was installed on the server which performed multi-stage work.
This script kept collecting data from different places secretly. In the third step sensitive information was extracted environment variables, config files, history files, everything was scooped. In the fourth and final step all this information was packed and sent to the attackers own Command and Control server.
The entire process was completely automated completely silent and the server owner on which it was running had no idea about it.The server continued doing its work serving pages to users and all their data was being stolen from behind.
What Data Was Compromised : A Detailed Assessment Review
It was not just a couple of passwords that were stolen.It was a complete digital robbery. Database credentials were stolen which means the attackers could now directly access your database your user data your order data and everything. SSH private keys were stolen meaning they could now log into your server via SSH without a password, which is extremely dangerous.
Amazon Web Services secrets and cloud tokens were found which means they got the complete access to your cloud environment. Build servers view data and use storage its all their choice. Stripe API keys were stolen which means they also got their hands on the payment system and opening up access to customers card data.
Getting GitHub tokens which means your source code your private repositories and everything was open to them. Shell history files were also stolen and revealing the which commands were run on the server which passwords were typed. Gaining so much access in a single attack was more than a single human could have imagined.
NEXUS Listener : An Advanced Control Panel For Threat Operations
The most shocking thing is that these hackers had created their own professional web dashboard to manage the stolen data. It was called NEXUS Listener. It was a GUI-based tool meaning it had a graphical interface buttons tables and charts.
Through this dashboard hackers could see how many hosts were compromised which servers were breached and how many credentials were collected and what data was now available for use.They also had precompiled statistics and analytics.
This was not some underground and simple text-based tool. It was a properly organized operation that functioned just like a legitimate business analytics tool and except it was all based on stolen information. This alone should give you a sense of their serious.
Why This Threat Is Critical : Beyond The Simplest Attack
Many people think Its been hacked credentials are gone patch it and thats it. But the issue is not that simple. Once an attacker has your database password, your SSH key your AWS token and your GitHub access they are not limited to just this server.
It can perform lateral movement and meaning it can move from one server to another connected system. In a cloud environment it can spin up new resources, incur charges on your account and perform work. Looking at your source code can help find future vulnerabilities.
They can defraud payment systems. And if they do not use it directly they can sell it on the Dark Web. A compromised AWS account is worth thousands of dollars in underground markets. This is not just a data breach its a long-term threat that can last for months if immediate action is not taken.
Protect Yourself Now : Important Immediate Actions
If you use Next.js and the first thing you should do is update to the latest version immediately. Delay here means direct risk. Second if your server is publicly exposed on the internet immediately rotate all your credentials.Change your database password regenerate your AWS keys revoke your GitHub tokens and create new ones. Change your SSH keys as well.
Third if you are using the AWS EC2 implement IMDSv2 which prevents unauthorized access to cloud metadata. Fourth enable secret scanning in your codebase. GitHub has its own feature that reveals accidentally committed secrets.
Fifth follow the least privilege principle.This means that every service and user should only have the access they truly need. If you even slightly suspect your server has been compromised immediately activate your incident response plan and refresh all credentials without delay.
A Critical Warning To The Entire Industry : Not Just A Single Breach
CVE-2025-55182 proves once again that a vulnerability in an open source ecosystem does not just mean a problem for one application it means a similar threat to millions of deployments globally. Next.js is among the worlds top used frameworks.This meant finding a specific field making an automated scanner and getting a list of servers all over the world that were open to attack.
766 servers were just those that were detected within 24 hours the actual number could be much higher. Its not confirmed whether this campaign is still active but it is certainly confirmed that until developers patch their systems and the threat is real. Cybersecurity is no longer just the IT teams job its now the responsibility of every developer every startup founder and anyone who has a server running on the internet.
One unpatched library one ignored security update one reused SSH key and you could be on that list.Take your security seriously and patch, rotate and check it regularly.