Attackers Exploit CVE-2025-55182 to Compromise 766 Next.js Sites and Harvest Credentials at Scale

A large-scale credential harvesting campaign attributed by Cisco Talos to a tracked threat cluster has exploited CVE-2025-55182, a vulnerability in the React2Shell framework, as an initial access vector to breach more than 766 Next.js-based web applications, The Hacker News reported. The operation systematically extracted sensitive data from compromised hosts including database credentials, SSH private keys, Amazon Web Services secrets, shell command history, Stripe API keys, and GitHub tokens. The breadth of credential types targeted suggests the campaign was designed to maximize downstream access and monetization options for the attackers. Next.js is one of the most widely deployed JavaScript frameworks for building web applications and is used across industries including fintech, healthcare, and e-commerce. The scale of the compromise -- 766 hosts confirmed -- likely represents the visible portion of a larger campaign, as many intrusions go undetected or unreported. Cisco Talos has shared indicators of compromise with its threat intelligence subscribers. Organizations running Next.js applications, particularly those using the React2Shell library, should treat the CVE as critical and prioritize patching and credential rotation for any systems that may have been exposed. The vulnerability has been patched in updated versions of the affected library. Security teams are advised to audit their web application inventories, rotate all secrets that may have been accessible on affected systems, and review authentication logs for signs of unauthorized access since the vulnerability's disclosure window.