Hackers exploit React2Shell vulnerability in large-scale automated credential theft campaign

Threat actors are actively exploiting a critical vulnerability in Next.js applications to conduct automated credential theft operations at scale. The campaign targets CVE-2025-55182, known as React2Shell, a flaw in the popular React-based web framework that enables remote code execution. Security researchers at BleepingComputer identified the attacks leveraging the vulnerability to compromise vulnerable applications and harvest user credentials systematically. The automated nature of the campaign suggests the use of specialized tooling to scan for and exploit internet-facing Next.js deployments. Next.js, maintained by Vercel, powers millions of websites including major enterprise applications. Organizations running affected versions are urged to apply patches immediately, as the vulnerability enables attackers to gain full control of application servers without authentication. The widespread use of Next.js in modern web development creates substantial attack surface, with the automated campaign indicating opportunistic but efficient exploitation by financially motivated threat actors.