ALL POSTS

Key Findings At least 766 Next.js hosts across multiple geographic regions and cloud providers compromised through CVE-2025-55182 exploitation Threat cluster UAT-10608 attributed to the campaign by Cisco Talos Critical vulnerability (CVSS 10.0) in React Server Components and Next.js App Router enables remote code execution NEXUS Listener framework deployed post-compromise to harvest and exfiltrate credentials via web-based GUI Stolen data includes database credentials, SSH ke

Key Findings The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavli

Key Findings Critical security flaw discovered in React Server Components (RSC) with a CVSS score of 10.0 (maximum severity) Vulnerability allows unauthenticated remote code execution (RCE) by exploiting a deserialization issue in how React decodes payloads sent to React Server Function endpoints Issue affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js versions >=14.3.0-canary.77, >=15, and >=16 Vulnerability codenamed "React2shell" and assigned CVE-2