Summary

A significant credential harvesting operation has been identified, exploiting the React2Shell vulnerability (CVE-2025-55182) to compromise 766 Next.js hosts. The attack targets sensitive data such as database credentials, SSH keys, AWS secrets, and more.

Key Points

• The vulnerability exploited is CVE-2025-55182, known as React2Shell.
• 766 Next.js hosts have been breached in this operation.
• Stolen data includes database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens.
• The operation has been attributed to a threat cluster tracked by Cisco Talos.

Analysis

This breach highlights the critical nature of securing web applications and the potential widespread impact of vulnerabilities like React2Shell. The exploitation of CVE-2025-55182 demonstrates the need for timely patching and monitoring of web frameworks such as Next.js. The involvement of sensitive data like AWS secrets and Stripe API keys underscores the potential financial and operational risks associated with such breaches.

Conclusion

IT professionals should prioritize patching the React2Shell vulnerability in Next.js applications and implement robust monitoring to detect unauthorized access. Regularly updating credentials and using multi-factor authentication can mitigate the risks of credential theft.