Automated Credential Harvesting Campaign Targets React2Shell Vulnerability

Severity: High (Score: 72.6)

Sources: Cybersecuritynews, Blog.Talosintelligence, Gbhackers

Summary

A large-scale automated credential harvesting campaign, tracked as UAT-10608, has been disclosed by Talos, impacting at least 766 hosts globally. The attack exploits the React2Shell vulnerability (CVE-2025-55182), which allows pre-authentication remote code execution in React Server Components. The attackers utilize a framework called 'NEXUS Listener' to systematically exploit vulnerable .js applications, exfiltrating sensitive data such as SSH keys, cloud tokens, and environment secrets. The campaign's rapid deployment and broad targeting suggest automated scanning techniques are employed to identify vulnerable systems. Talos is collaborating with affected service providers to mitigate the impact and inform victims. The operation highlights significant risks for organizations using vulnerable JavaScript frameworks. As of now, the attack remains active and poses a critical threat to exposed systems. Key Points: • The UAT-10608 campaign has compromised at least 766 hosts worldwide. • Exploitation relies on the React2Shell vulnerability (CVE-2025-55182). • Talos is working with industry partners to inform victims and mitigate risks.

Key Entities

• Data Breach (attack_type)
• Uat-10608 (campaign)
• CVE-2025-55182 (cve)
• kubernetes.io (domain)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Next.js (platform)
• React2Shell (malware)