A large-scale automated credential harvesting campaign has been actively exploiting CVE-2025-55182, the critical React Server Components vulnerability known as React2Shell, compromising at least 766 hosts across multiple cloud providers and geographic regions. Cisco Talos attributed the operation to a threat cluster it tracks as UAT-10608 and published its findings on April 3, 2026.
React2Shell is an unsafe deserialization flaw in the React Server Components Flight protocol affecting React versions 19.0 through 19.2 and Next.js frameworks that use App Router. It carries a CVSS score of 10.0 and allows an unauthenticated attacker to execute arbitrary code on a vulnerable server with a single malicious HTTP POST request. The vulnerability was disclosed on December 3, 2025, and exploitation began within hours.
How UAT-10608 Operates
The campaign begins with automated scanning for publicly accessible Next.js deployments, likely using internet asset discovery platforms such as Shodan or Censys to enumerate vulnerable targets at scale. Once a vulnerable host is identified, the attacker delivers a crafted payload via HTTP that executes arbitrary code on the server-side Node.js process.
Post-exploitation is handled by a framework Talos calls NEXUS Listener, a web application that receives and organizes stolen data from compromised hosts. The attackers deploy a multi-phase automated script that iterates through running processes, JavaScript runtime environments, SSH keys, shell command history, cloud metadata APIs, Kubernetes service accounts, Docker container configurations, and environment variables. The result is a comprehensive credential sweep of the compromised host, with stolen data sent back to attacker-controlled infrastructure and made searchable through the NEXUS Listener panel.
Talos researchers identified an exposed NEXUS Listener instance that allowed them to analyze the operation’s inner workings directly. Within a single 24-hour window, the instance showed evidence of 766 successfully compromised hosts. Across the full campaign, more than 10,000 files have been collected. Stolen material includes database credentials, AWS secrets, SSH private keys, Stripe API keys, GitHub tokens, and cloud IAM role credentials harvested from instance metadata services across AWS, Google Cloud, and Azure.
One Vulnerability, Many Threat Actors
UAT-10608 is one of multiple distinct threat clusters observed exploiting React2Shell since its disclosure in December 2025. Google Threat Intelligence Group documented Chinese state-nexus actors including Earth Lamia and Jackpot Panda exploiting the vulnerability within hours of public disclosure, deploying backdoors including MINOCAT, SNOWLIGHT, HISONIC, and COMPOOD. North Korean threat actors have also been linked to React2Shell exploitation delivering EtherRAT malware. Ransomware groups have used it for initial access, with one documented case deploying the Weaxor ransomware strain less than a minute after gaining entry. Cryptominers have been the most common payload observed across opportunistic campaigns.
GreyNoise has recorded more than 8.1 million attack sessions exploiting React2Shell since disclosure, with daily volumes stabilizing between 300,000 and 400,000 requests. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog. The breadth of adoption across financially motivated actors, nation-states, and automated campaigns makes React2Shell one of the most widely exploited vulnerabilities of 2025 and 2026.
The same vulnerability was also used by TeamPCP in December 2025 as part of building the initial cloud infrastructure that later enabled their March 2026 supply chain campaign targeting Trivy, LiteLLM, Checkmarx, and Telnyx.
Defensive Recommendations
Cisco Talos recommends that organizations running React or Next.js applications take the following steps immediately:
- Apply available security patches for
CVE-2025-55182. Vulnerable versions are React19.0.0,19.1.0,19.1.1, and19.2.0. - Rotate all credentials, API keys, SSH keys, and cloud tokens immediately if there is any suspicion of compromise or if systems ran vulnerable React versions while internet-exposed.
- Enforce AWS IMDSv2 on EC2 instances to prevent metadata service credential theft.
- Enable secret scanning across repositories and CI/CD environments.
- Audit server-side data exposure and review environment variables for hardcoded credentials.
- Deploy WAF protections for Next.js and enforce least-privilege across containers and cloud roles.
- Investigate process creation logs for
cmd.exeorpowershell.exespawning fromnode.exe, which is a strong indicator of React2Shell exploitation.
