Next.js React2Shell Actively Exploited - Credential
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]
What Happened
A large-scale, automated credential theft campaign is actively exploiting a critical vulnerability in Next.js applications. The attack targets the React2Shell flaw, tracked as CVE-2025-55182, which allows attackers to execute arbitrary commands on vulnerable servers. Threat actors have weaponized this vulnerability to deploy automated scripts that systematically harvest credentials and other sensitive data from compromised systems.
Why It Matters
This campaign represents a significant escalation in the exploitation of this specific vulnerability. The automation of the attack allows threat actors to rapidly compromise a vast number of servers with minimal effort, shifting from targeted exploitation to widespread, opportunistic theft. For organizations using Next.js, this transforms a known patchable flaw into an active, high-volume data breach vector. The primary risk is the loss of administrative credentials, which can lead to full system compromise, lateral movement, and ransomware deployment.
Technical Details
The vulnerability, CVE-2025-55182 (React2Shell), exists in the Next.js React Server Components (RSC) payload deserializer. It allows an unauthenticated remote attacker to inject and execute arbitrary operating system commands on the host server. In the observed campaign, exploitation is followed by the automated execution of scripts designed to scrape environment variables, configuration files, and credential databases. The attack chain is streamlined, indicating the use of pre-packaged exploit kits targeting this specific weakness in unpatched Next.js deployments.
Immediate Risk
The risk is CRITICAL for any public-facing Next.js application that has not been updated to a patched version. The exploit is being used in the wild, and the automated nature of the campaign means that vulnerable instances are likely being discovered and compromised en masse. There is a very short window between vulnerability disclosure and active, widespread exploitation. Any delay in patching directly increases the probability of a credential theft incident.
Security Insight
This incident mirrors the historical exploitation pattern of the Log4Shell vulnerability, where a potent flaw in a ubiquitous software component led to automated, internet-wide scanning and exploitation within days. The key takeaway is that for widely adopted frameworks like Next.js, the patch-to-exploit timeline is collapsing to near zero. Defensive strategies must now assume that a public proof-of-concept for a high-severity flaw will be integrated into automated attack platforms within 48-72 hours, making automated patch deployment and immediate threat hunting for IoCs non-negotiable steps, not best practices.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]
Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. [...]
Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. [...]