A large-scale automated campaign is currently exploiting a critical pre-authentication RCE in Next.js applications to siphon credentials from cloud-native environments. The operation has reached a professionalized state‚ with hundreds of hosts being harvested simultaneously for high-value cloud secrets.
Tracked as CVE-2025-55182‚ the React2Shell vulnerability allows unauthenticated attackers to execute arbitrary code and extract environment variables‚ shell history‚ and Kubernetes service account tokens. The threat actor is exfiltrating this data to a centralized command-and-control interface called NEXUS Listener. This tool automates the validation of stolen AWS secrets and SSH keys‚ facilitating immediate lateral movement into production clusters.
The rapid aggregation of stolen secrets into a searchable database demonstrates how application-layer flaws are now the primary engine for cloud-native data breaches. Threat actors no longer need to manually explore a network; they simply wait for their automated scanners to populate their dashboard with valid production credentials.
– Audit all Next.js and React Server Component deployments and update to the latest patched security release immediately.
– Enforce the use of AWS IMDSv2 and disable IMDSv1 to prevent the theft of temporary security credentials from metadata services.
– Implement automated secret scanning across all CI/CD pipelines to identify and rotate any keys that may have been exposed.
– Place all public-facing web applications behind a Web Application Firewall ❨WAF❩ with rules specifically targeting RCE patterns.
The shift toward automated credential harvesting at the application layer requires a zero-trust architecture where secrets are short-lived and identity-bound. #CodeDefence #NextJS #CloudSecurity #React2Shell
/