A large-scale automated campaign is currently exploiting a critical pre-authentication RCE in React Server Components and Next.js applications to siphon credentials from cloud-native environments. This operation provides the adversary with a comprehensive inventory of victim infrastructure including internal API keys and production database access.
Tracked as CVE-2025-55182, the React2Shell vulnerability allows unauthenticated attackers to execute arbitrary code and extract environment variables, shell history, and Kubernetes configurations. The threat actor, identified as UAT-10608, exfiltrates this data to a centralized command-and-control interface called NEXUS Listener. This GUI-based tool allows operators to analyze stolen AWS secrets, SSH keys, and Kubernetes tokens in real-time, facilitating immediate lateral movement.
Modern web frameworks often run with excessive local permissions, turning a single application-layer flaw into a full infrastructure compromise. The rapid aggregation of stolen secrets into a searchable database suggests that UAT-10608 is operating as an Initial Access Broker, preparing high-value targets for resale to ransomware affiliates or state actors.
– Audit all Next.js deployments and update to the latest patched security release immediately.
– Enforce AWS IMDSv2 on all EC2 instances to prevent the theft of temporary security credentials from metadata services.
– Implement secret scanning across all repositories and CI/CD pipelines to identify and rotate exposed keys.
– Strictly adhere to the principle of least privilege for application service accounts to limit the blast radius of RCE.
The centralization of stolen cloud secrets into an analytics platform represents a professionalization of the initial access market. #CodeDefence #NextJS #CloudSecurity #React2Shell
/