A large-scale automated campaign is currently exploiting a critical pre-authentication RCE in Next.js applications to siphon credentials from cloud-native environments. This operation provides the adversary with a comprehensive inventory of victim infrastructure including internal API keys and production tokens.
Tracked as CVE-2025-55182‚ the React2Shell vulnerability allows unauthenticated attackers to execute arbitrary code and extract environment variables‚ shell history‚ and Kubernetes service account tokens. The threat actor is exfiltrating this data to a centralized command-and-control interface called NEXUS Listener. This tool automates the validation of stolen AWS secrets and SSH keys‚ facilitating immediate lateral movement.
Modern web frameworks often run with excessive local permissions‚ turning a single application-layer flaw into a full infrastructure compromise. The rapid aggregation of stolen secrets into a searchable database demonstrates how application-layer flaws are now the primary engine for high-velocity cloud-native data breaches.
– Audit all Next.js deployments and update to the latest patched security release immediately.
– Enforce AWS IMDSv2 on all EC2 instances to prevent the theft of temporary security credentials from metadata services.
– Implement automated secret scanning across all CI/CD pipelines to identify and rotate any keys that may have been exposed.
– Place all public-facing web applications behind a Web Application Firewall ❨WAF❩ with rules targeting RCE patterns.
The shift toward automated credential harvesting at the application layer requires a zero-trust architecture where secrets are short-lived and identity-bound. #CodeDefence #NextJS #CloudSecurity #React2Shell
/