By rssfeeds-admin 
Cybersecurity researchers at Cisco Talos have uncovered a severe credential harvesting operation tracked as UAT-10608, which breached at least 766 servers worldwide within a single day.
Critical RCE Flaw at the Core
The attack exploits CVE-2025-55182, a critical remote code execution (RCE) vulnerability discovered in React Server Components, widely referred to as the React2Shell flaw.
The vulnerability exists because serialized client data sent to server endpoints is processed without adequate validation or sanitization.
Critically, no authentication is required, enabling attackers to fire malicious payloads directly at exposed servers and execute arbitrary code within the server environment without any prior access or credentials.
UAT-10608 does not rely on manual intrusion techniques. Instead, the threat group weaponizes automated scanning platforms, including Shodan and Censys, to identify public-facing Next.js applications at scale.
Once a vulnerable target is detected, the exploit is deployed automatically and without human interaction.
A small script is immediately dropped into the server’s temporary file directory, kicking off the infection chain.
That initial dropper script fetches a larger, multi-phase harvesting tool designed to methodically pillage the compromised system.
The tool executes through distinct phases, extracting environment variables, hunting for Kubernetes service account tokens, and capturing shell command histories.
Between each phase, the stolen data is silently exfiltrated back to the attacker-controlled infrastructure.
The script also pulls cloud provider metadata from AWS, Google Cloud, and Microsoft Azure, and enumerates running Docker containers by scanning network configurations and exposed ports.
This reconnaissance enables attackers to map internal administrative dashboards and databases for follow-on exploitation.
To manage the flood of stolen credentials, UAT-10608 deploys a web-based command-and-control interface called NEXUS Listener.
This dashboard provides a clean graphical interface for searching and analyzing harvested data.
Researchers discovered an accidentally exposed instance that confirmed the full operational scale of 766 hosts breached in a single day, with real-time statistics, credential categories, and uptime tracking all visible.
The scope of data theft is deeply alarming.
According to Talos Intelligence:
- 91.5% of compromised hosts leaked database credentials, including cleartext passwords
- 78.2% exposed private SSH keys, enabling lateral movement across connected systems
- 80+ hosts had live Stripe payment API keys stolen
- Sensitive GitHub tokens, OpenAI API keys, and Azure subscription credentials were also harvested
- Roughly 25% of victims had temporary AWS cloud access credentials fully compromised
The UAT-10608 campaign underscores the catastrophic risk posed by deserialization vulnerabilities in modern web frameworks.
Organizations running Next.js must immediately audit deployments for exposure to the React2Shell flaw, apply available security patches, and rotate all potentially exposed credentials, tokens, and SSH keys without delay to prevent further network compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Exploit React2Shell Flaw to Compromise 700+ Next.js Hosts appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.