Critical React2Shell Flaw Actively Exploited to Breach 766 Hosts

Summary

On April 7, 2026, a large-scale exploitation campaign targeting Next.js applications have been observed, leveraging the critical React2Shell vulnerability.

The vulnerabilities:
• CVE-2025-55182 (React2Shell)
• CVE-2025-66478 (Next.js related exposure)

The flaw allows unauthenticated remote code execution (RCE) via a crafted HTTP request.

Within just 24 hours, attackers compromised 766 hosts and exfiltrated sensitive data, including credentials and cloud secrets.

The activity has been attributed to a threat cluster tracked as UAT-10608.

Research Source

According to Cisco Talos, the campaign is highly automated and uses internet-wide scanning tools such as Shodan and Censys to identify vulnerable targets.

Researchers observed rapid exploitation at scale, with attackers moving from discovery to full compromise without manual interaction.

Technical Details

The vulnerability exists in the React Server Components (RSC) Flight protocol, specifically in how servers process HTTP requests to Server Function endpoints.

Key characteristics:

• CVSS Score: 10.0 (Critical)
• No authentication required
• Single HTTP request triggers RCE
• Affects Next.js applications using RSC

Attack flow:

Attacker scans for exposed Next.js apps
Sends crafted HTTP request to vulnerable endpoint
Server executes malicious payload
Dropper script deployed in temporary directory
Multi-stage credential harvesting begins
Observed Attack Activity

Threat Actor
• UAT-10608 (tracked by Cisco Talos)

Automation & Reconnaissance
• Internet-wide scanning via Shodan/Censys
• Fully automated exploitation chain

Credential Harvesting
• Database connection strings
• SSH private keys
• Cloud access tokens (AWS, GCP, Azure)
• GitHub tokens
• Stripe secret keys
• Kubernetes service account credentials
• Environment variables
• Shell command histories

Data Exfiltration
• Over 10,120 files stolen
• npm and pip registry credentials exposed

Command & Control
• Custom framework: NEXUS Listener (v3)
• Web-based dashboard for managing stolen data
• Communication via port 8080

Persistence & Execution
• Dropper scripts in temp directories
• Multi-phase data collection scripts
• Outbound callbacks to attacker infrastructure

Impact

Successful exploitation may allow attackers to:

• Gain full server access via RCE
• Steal sensitive credentials and secrets
• Compromise cloud infrastructure
• Access databases and internal systems
• Enable lateral movement across environments
• Launch supply chain attacks via stolen package credentials

Because exposed credentials include CI/CD and package registry tokens, this incident poses a secondary supply chain risk.

Mitigation

Recommended response actions:

Patch Next.js and React components immediately
Disable vulnerable RSC endpoints if not required
Rotate all exposed secrets:
• Cloud keys
• API tokens
• SSH keys
• Database credentials
Audit container permissions and roles
Enforce IMDSv2 on cloud instances
Monitor outbound traffic (especially port 8080)
Avoid reuse of SSH keys across systems
Review logs for suspicious HTTP requests and execution activity

Organizations should assume compromise if vulnerable systems were publicly exposed.

References
• Cisco Talos Research – React2Shell Exploitation Campaign
• Cyber Security News – Hackers Exploit Next.js React2Shell Flaw (April 7, 2026)
• https://cybersecuritynews.com/hackers-exploit-next-js-react2shell-flaw/