Seven hundred and sixty-six servers compromised in under 24 hours. Over ten thousand files exfiltrated. And the crown jewels weren’t traditional database passwords or SSH keys — they were API keys for OpenAI, Anthropic, and every major AI platform you can name. The React2Shell vulnerability (CVE-2025-55182) has become the fastest route from “exposed web app” to “your AI budget is someone else’s playground.”
What Makes React2Shell So Dangerous #
CVE-2025-55182 carries a perfect CVSS score of 10.0, and it earns every decimal. The flaw lives in React Server Components as implemented by the Next.js App Router — a framework that, by design, executes JavaScript on the server side before shipping HTML to the client. The vulnerability allows remote, unauthenticated arbitrary code execution. No credentials needed. No user interaction required. Just a crafted request to a vulnerable endpoint and the attacker owns your server process.
What makes this worse than a typical RCE is context. Next.js applications routinely run with access to environment variables containing every secret the application needs: database connection strings, payment processor keys, cloud provider credentials, and increasingly, AI platform API keys worth thousands of dollars per month. The server-side execution model that makes React Server Components fast also makes them a single point of failure for secret management.
Microsoft published defense guidance back in December 2025 when the vulnerability was first disclosed. The fact that 766 hosts were still exploitable months later tells you everything about how organizations prioritize patching JavaScript frameworks.
Inside the UAT-10608 Campaign #
Cisco Talos researchers Asheer Malhotra and Brandon White published their findings in early April 2026, tracking the threat cluster as UAT-10608. The operation is notable for its complete automation — from initial reconnaissance through data exfiltration, no human touches a keyboard.
Reconnaissance and Targeting #
UAT-10608 doesn’t pick targets manually. They run automated scanners — pulling from Shodan, Censys, and custom crawlers — to build a list of publicly exposed Next.js deployments. The scanning infrastructure identifies applications running vulnerable versions by fingerprinting response headers and framework-specific artifacts. Once a target list is assembled, exploitation kicks off in parallel across hundreds of hosts.
This is assembly-line hacking. The economics only work because React Server Components are everywhere. Next.js dominates the React ecosystem for server-rendered applications, which means a single vulnerability scanner can surface thousands of potential targets across AWS, Azure, GCP, and smaller providers.
The Harvesting Routine #
Post-exploitation follows a multi-phase playbook. After gaining code execution through the React2Shell flaw, the attacker drops scripts into temporary directories — a common technique to avoid tripping file-integrity monitors on application paths. These scripts systematically harvest:
- AI platform credentials: OpenAI keys, Anthropic API tokens, NVIDIA NIM keys
- Cloud provider secrets: AWS access keys plus temporary IAM role tokens, Azure subscription credentials, GCP service account tokens, Kubernetes service account tokens
- Payment infrastructure: Stripe secret keys
- Development tooling: GitHub and GitLab tokens, SSH private keys, Docker configurations
- Operational data: Shell command history, process lists, environment variable dumps, webhook secrets
The breadth of this list reveals something important about how modern applications are deployed. A single Next.js process often has access to credentials spanning cloud infrastructure, payment systems, AI services, source code repositories, and container orchestration. Compromising one application server means compromising the entire interconnected stack.
Exfiltration and the NEXUS Listener #
Stolen data gets chunked and sent over HTTP on port 8080 to the attackers’ command-and-control infrastructure. The C2 runs a custom framework called NEXUS Listener (currently at version V3), which provides a web GUI for browsing, searching, and organizing harvested credentials. Think of it as a stolen-credential management dashboard — complete with search, filtering, and categorization.
The choice of HTTP over port 8080 is deliberate. Many organizations focus egress filtering on unusual ports while allowing common web traffic patterns. Port 8080 blends in with development servers, proxies, and internal tooling traffic.
Why AI API Keys Are the New Gold #
A year ago, attackers targeting web applications were primarily after database credentials and cloud access keys. AI API keys were an afterthought. That’s changed dramatically, and the UAT-10608 campaign’s explicit targeting of OpenAI and Anthropic credentials is a clear signal.
The economics are straightforward. A stolen OpenAI API key with a high-tier rate limit can generate thousands of dollars in compute costs before the account owner notices. Attackers use stolen keys to run inference for their own projects, resell access on underground marketplaces, or — more concerning — use them to power other attack tooling. We’ve already seen AI weaponized across the cyberattack lifecycle, and cheap stolen API access lowers the barrier further.
There’s also a secondary market forming around fine-tuned model access. If an organization has fine-tuned a model on proprietary data and the API key provides access to that fine-tuned endpoint, the attacker gains access to the organization’s intellectual property — not just compute. This puts React2Shell in the same threat category as the Flowise RCE flaw that hit AI agent platforms last month: attacks that specifically target the AI development and deployment stack.
The Patch Gap Problem #
CVE-2025-55182 was disclosed in late 2025. Microsoft published mitigation guidance in December. Patches have been available for months. Yet here we are in April 2026, and automated scanners are still finding hundreds of exploitable targets.
This gap illustrates a systemic problem with JavaScript framework security. Unlike operating system patches that get managed through established update cycles, framework updates require developer involvement. Someone needs to bump the Next.js version, verify nothing breaks, run the test suite, and deploy. In organizations where the app “just works” and the original developer has moved on, that patch sits in a backlog indefinitely.
The container revolution made this worse, not better. A vulnerable Next.js version baked into a Docker image will stay vulnerable until someone rebuilds the image. If the Dockerfile pins a specific version or the base image hasn’t been refreshed, the vulnerability persists across every deployment.
What a Response Looks Like in Practice #
If your organization runs Next.js applications — and statistically, there’s a good chance it does — the response playbook goes beyond just patching:
- Patch immediately. Update Next.js to a version that addresses CVE-2025-55182. If you can’t patch quickly, deploy WAF rules that block exploitation patterns at the edge.
- Assume compromise and rotate. If your application was running a vulnerable version in a public-facing configuration, treat all secrets accessible to that process as compromised. Rotate every API key, cloud credential, database password, and SSH key the application could reach.
- Enforce IMDSv2 on AWS. The harvesting scripts target the EC2 instance metadata service to steal IAM role credentials. IMDSv2 requires session tokens that make this extraction significantly harder.
- Enable secret scanning. Tools like GitHub’s secret scanning, GitGuardian, or TruffleHog should be running in your CI/CD pipeline to catch credentials that end up in code or config files.
- Audit container images. Rebuild images with patched dependencies. Set up automated image scanning with Trivy, Snyk, or similar tools to catch known vulnerabilities before deployment.
- Review egress rules. Legitimate Next.js applications rarely need to make outbound HTTP connections on port 8080 to arbitrary IP addresses. Egress filtering would have caught or at least flagged this exfiltration channel.
Broader Implications for AI-Dependent Organizations #
React2Shell matters beyond its immediate blast radius because it exposes a structural weakness in how organizations manage AI credentials. Most teams treat AI API keys with the same casualness as any other environment variable — they get stuffed into .env files, pasted into container configs, and shared across staging and production environments.
This is a problem the prompt injection threat doesn’t address: even if your AI integration is architecturally sound, the credentials powering it might be one framework vulnerability away from exfiltration. Organizations that invested heavily in AI capabilities now carry a new category of high-value secrets that existing secret management practices weren’t designed to protect.
The practical fix isn’t exotic. Use a secrets manager (HashiCorp Vault, AWS Secrets Manager, or even Doppler for smaller teams). Implement short-lived, scoped credentials wherever possible. Treat AI API keys with the same rotation discipline as cloud root credentials. And monitor usage patterns — a sudden spike in API calls from an unusual geography is a reliable indicator of stolen key abuse.
Key Takeaways #
- CVE-2025-55182 (React2Shell) is a CVSS 10.0 RCE in React Server Components that allows unauthenticated attackers to execute arbitrary code on Next.js servers, and it’s being actively exploited at scale.
- The UAT-10608 campaign compromised 766 hosts in 24 hours using fully automated scanning and exploitation, exfiltrating over 10,000 files without any manual interaction.
- AI platform API keys (OpenAI, Anthropic, NVIDIA) are now primary targets alongside traditional cloud credentials, reflecting the growing financial value of AI compute access.
- The months-long gap between patch availability and exploitation highlights the unique challenge of keeping JavaScript framework deployments current, especially in containerized environments.
- Organizations should assume compromise if they ran vulnerable Next.js versions, rotate all accessible credentials, enforce IMDSv2, and implement dedicated secret management for AI API keys.
Frequently Asked Questions #
What is the React2Shell vulnerability CVE-2025-55182? #
React2Shell is a CVSS 10.0 remote code execution vulnerability in React Server Components used by Next.js applications. It allows unauthenticated attackers to execute arbitrary commands on the server, making it trivial to steal environment variables, API keys, and other secrets stored on the host.
How are attackers stealing AI API keys through React2Shell? #
The threat group UAT-10608 uses automated scanners to find vulnerable Next.js deployments, then drops multi-phase harvesting scripts that extract API keys for OpenAI, Anthropic, and other AI platforms from environment variables, configuration files, and cloud metadata endpoints. Stolen data is exfiltrated over HTTP to their NEXUS Listener C2 infrastructure.
How can organizations protect against CVE-2025-55182 exploitation? #
Patch Next.js immediately, rotate all credentials that may have been exposed, enforce AWS IMDSv2 to block metadata theft, enable automated secret scanning in your CI/CD pipeline, and deploy a WAF or RASP solution to catch exploitation attempts at the edge.
Sources & References #
- Cisco Talos — UAT-10608: Inside a Large-Scale Automated Credential Harvesting Operation — Primary source for campaign details, UAT-10608 attribution, NEXUS Listener tooling, and compromise statistics
- SecurityWeek — React2Shell Exploited in Large-Scale Credential Harvesting Campaign — Coverage of the CVSS 10.0 rating, stolen credential categories, and supply chain attack implications
- The Hacker News — Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts — Details on reconnaissance methods (Shodan/Censys scanning), NEXUS Listener V3, and recommended mitigations
- BleepingComputer — Hackers Exploit React2Shell in Automated Credential Theft Campaign — Reporting on multi-phase harvesting scripts, exfiltration methods, and container security recommendations
- Cybersecurity Dive — Credential Harvesting Campaign React2Shell — Coverage of the 24-hour compromise window and breadth of stolen data types
- Microsoft Security Blog — Defending Against CVE-2025-55182 — Microsoft’s December 2025 defense guidance for React Server Components
