Key Findings

• At least 766 Next.js hosts across multiple geographic regions and cloud providers compromised through CVE-2025-55182 exploitation

• Threat cluster UAT-10608 attributed to the campaign by Cisco Talos

• Critical vulnerability (CVSS 10.0) in React Server Components and Next.js App Router enables remote code execution

• NEXUS Listener framework deployed post-compromise to harvest and exfiltrate credentials via web-based GUI

• Stolen data includes database credentials, SSH keys, AWS secrets, API keys, GitHub tokens, and Stripe credentials

• Automated targeting suggests use of Shodan, Censys, or custom scanners to identify vulnerable deployments

• NEXUS Listener currently at version V3, indicating substantial tool development and refinement

Background

The operation represents a coordinated credential harvesting campaign targeting publicly accessible Next.js applications. Cisco Talos researchers Asheer Malhotra and Brandon White identified the activity after gaining access to an unauthenticated NEXUS Listener instance. The campaign demonstrates how attackers exploit critical vulnerabilities at scale to establish persistent access for intelligence gathering.

Initial Access and Exploitation

Attackers use CVE-2025-55182, a critical flaw in React Server Components and Next.js App Router, to achieve remote code execution on vulnerable systems. The vulnerability allows them to deploy a dropper that executes a multi-phase harvesting script. The indiscriminate targeting pattern suggests automated scanning rather than targeted reconnaissance, casting a wide net across internet-facing Next.js deployments.

Credential Harvesting Operations

Once inside a compromised host, the deployment script systematically extracts sensitive information including environment variables, SSH private keys and authorized_keys files, shell command history, Kubernetes service tokens, Docker configurations, running processes, and cloud provider credentials. The script queries Instance Metadata Services to obtain temporary credentials from AWS, Google Cloud, and Microsoft Azure, capturing the full scope of an organization's infrastructure access.

NEXUS Listener Framework

Central to the operation is a password-protected web application serving as the command-and-control interface. The GUI allows operators to view stolen credentials, search through harvested data, and analyze statistics on compromised hosts and credential types. Talos discovered the accessible instance contained Stripe API keys, tokens from AI platforms like OpenAI and Anthropic, communication service credentials, GitHub and GitLab tokens, database connection strings, and webhook secrets.

Intelligence Value and Follow-On Risks

The aggregated dataset collected provides attackers with a detailed infrastructure map of victim organizations, including services deployed, configurations, cloud provider choices, and third-party integrations. This intelligence enables crafting targeted follow-on attacks, staging social engineering campaigns, or selling access to other threat actors. The breadth of information transforms individual compromises into comprehensive organizational blueprints.

Recommended Mitigations

Organizations should audit environments to enforce least privilege principles, implement secret scanning across repositories, avoid reusing SSH key pairs, enforce IMDSv2 on all AWS EC2 instances to prevent metadata exploitation, and rotate credentials if compromise is suspected. Patching CVE-2025-55182 on all Next.js deployments remains the primary defense against initial exploitation.

Sources

• https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html

• https://fr.linkedin.com/posts/bertrand-leclercq-nohackme_hackers-exploit-cve-2025-55182-to-breach-activity-7445583514260885504-DUNA

• https://x.com/evanderburg/status/2039802717816926336

• https://www.cypro.se/2026/04/02/hackers-exploit-cve-2025-55182-to-breach-766-next-js-hosts-steal-credentials/

• https://x.com/TheCyberSecHub/status/2039802450321011084