What is the React2Shell flaw in Next.js?

It's a SSRF vulnerability letting attackers execute code via crafted React payloads in exposed apps. Patch via npm update.

How does UAT-10608 automate credential harvesting?

Custom scanner + injector tool probes Shodan-listed Next.js, exfils via DNS to C2. Hits thousands daily.

Should I scan my Next.js apps now?

Yes. Use Nuclei templates or Vercel diagnostics. Rotate all secrets immediately.

🕳️ Vulnerabilities & CVEs

UAT-10608's Automated Credential Grab: Next.js Apps Bleeding Secrets via React2Shell

Credentials pouring out. An automated campaign's hitting vulnerable Next.js setups, siphoning secrets faster than you can say 'patch management.' UAT-10608 doesn't mess around.

Threat Digest Apr 07, 2026 3 min read

Diagram of UAT-10608 automated attack chain exploiting React2Shell in Next.js application

⚡ Key Takeaways

UAT-10608 automates credential theft from vulnerable Next.js apps via React2Shell, exploiting SSRF-to-RCE paths. 𝕏
Over 15k exposures detected recently; unpatched 13.x versions hit hardest. 𝕏
Patch to 14.2.3+, scan with Nuclei, rotate secrets—echoes Log4Shell risks for JS stacks. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#Next.js vulnerability #React2Shell #React2Shell flaw #UAT-10608 #credential harvesting

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Dark Reading

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

React2Shell: How a React Bug Turned 766 Servers into Credential Vaults

766 Next.js Servers Gutted by CVE-2025-55182: Hackers Snag Keys, Secrets, and Your Whole Damn Infra Map

GrafanaGhost: The AI Backdoor Turning Data Dashboards into Spy Tools

Docker's Sneaky Padding Trick: One Request Away from Host Takeover

Stay in the loop