📋 Compliance & Policy

React2Shell: How a React Bug Turned 766 Servers into Credential Vaults

One HTTP request. That's all it took for hackers to burrow into 766 Next.js servers, siphoning credentials like SSH keys and AWS tokens. Cisco Talos just pulled back the curtain on this automated nightmare.

Threat Digest Apr 03, 2026 4 min read 25 views
Read in: Deutsch English Español Français Italiano 日本語 한국어 Português (BR) Русский Türkçe
Diagram of React2Shell exploit chain from HTTP request to credential exfiltration via Nexus Listener

⚡ Key Takeaways

  • React2Shell (CVE-2025-55182) enables unauthenticated RCE in Next.js, exploited by UAT-10608 for mass credential theft. 𝕏
  • Automated scanning via Shodan/Censys hit 766 systems in 24 hours, exfiling SSH keys, cloud tokens, and more via Nexus Listener. 𝕏
  • Architectural shift in SSR exposes backend secrets; rotate everything and rethink frontend-backend boundaries. 𝕏
Published by

Threat Digest

Threat intelligence. Zero noise.

#CVE-2025-55182 #Next.js vulnerability #React2Shell #credential harvesting

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SecurityWeek

Related Stories

📬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.