VulnHub

Real-time Cybersecurity News

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

The Hacker News
Actively Exploited
3 Sources
Reporting on this topic
SecurelistHackread – Cybersecurity News, Data Breaches, AI, and MoreThe Hacker News
CVECiscoExploitVulnerabilityAmazon

Overview

A significant credential harvesting campaign has been detected, utilizing the React2Shell vulnerability (CVE-2025-55182) to gain access to sensitive data from 766 Next.js hosts. Attackers are stealing various credentials, including database logins, SSH private keys, AWS secrets, Stripe API keys, and GitHub tokens. This operation has been linked to a threat group that Cisco Talos is monitoring. The widespread nature of this breach is concerning, as it affects a range of developers and companies using Next.js, potentially compromising their applications and user data. Companies need to be vigilant and take immediate steps to secure their systems against this threat.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Next.js hosts, database credentials, SSH private keys, Amazon Web Services (AWS) secrets, Stripe API keys, GitHub tokens.
  • Action Required: Organizations should patch their systems to address the React2Shell vulnerability (CVE-2025-55182) and implement security best practices such as limiting access to sensitive credentials, regularly rotating keys and secrets, and monitoring for unauthorized access attempts.
  • Timeline: Newly disclosed

Original Article Summary

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as

Impact

Next.js hosts, database credentials, SSH private keys, Amazon Web Services (AWS) secrets, Stripe API keys, GitHub tokens.

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Organizations should patch their systems to address the React2Shell vulnerability (CVE-2025-55182) and implement security best practices such as limiting access to sensitive credentials, regularly rotating keys and secrets, and monitoring for unauthorized access attempts.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Cisco, Exploit, and 2 more.

Multiple Sources: This threat is being reported by 3 different security sources, indicating significant concern within the cybersecurity community.

Read Original Article

Related Coverage

Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide

Hackread – Cybersecurity News, Data Breaches, AI, and More

In December 2025, researchers identified a serious vulnerability in React, designated as CVE-2025-55182, which has led to a surge in attacks on services that use React2Shell. This vulnerability affects numerous applications built with the React framework, making them targets for malicious actors. Attackers are exploiting this flaw to gain unauthorized access to systems, which could lead to data breaches or service disruptions. Organizations utilizing React-enabled services are urged to take immediate action to safeguard their systems. The situation is critical, as the exploitation of this vulnerability poses significant risks to businesses and users globally.

Dec 15, 2025

It didn’t take long: CVE-2025-55182 is now under active exploitation

Securelist

CVE-2025-55182 is currently being exploited by threat actors, raising concerns about the potential for increased attacks. This vulnerability affects a range of systems, and researchers have noted that their honeypots are already being targeted. In addition to the exploitation, specific malware has been identified as part of these attacks, which could compromise the integrity of affected systems. It’s crucial for organizations to understand the implications of this vulnerability and take proactive measures to protect their infrastructure. Knowing how to defend against this threat is vital as the situation evolves.

Dec 11, 2025