Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
Summary
Threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) to gain initial access to 766 Next.js hosts. The attackers are then harvesting sensitive credentials, including database passwords, SSH keys, AWS secrets, and API keys.
IFF Assessment
This is bad news for defenders as a specific vulnerability is actively being exploited to steal a wide range of sensitive information.
Severity
The React2Shell vulnerability allows for remote code execution and significant data exfiltration, impacting confidentiality, integrity, and availability, making it a critical severity issue.
Defender Context
Defenders need to prioritize patching or mitigating the React2Shell vulnerability on all Next.js instances to prevent initial compromise. Monitoring for indicators of compromise related to credential theft and unauthorized access to cloud secrets is crucial.