A widespread credential harvesting campaign is targeting public-facing web applications vulnerable to React2Shell, deploying an automated collection framework to extract credentials and system data. Cisco Talos researchers identified the activity, attributing it to a threat cluster tracked as UAT-10608.
The campaign has resulted in the compromise of at least 766 hosts across multiple geographic regions and cloud providers, according to a recent Talos report.
Threat actors target Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution (RCE) flaw widely known as React2Shell—to gain initial access to affected networks. React2Shell affects React Server Components (RSCs). If targeted, affected endpoints may deserialize inbound HTTP requests without adequate validation or sanitization.
Following initial access, unauthorized parties deploy a framework dubbed NEXUS Listener to systematically collect credentials, SSH keys, cloud tokens, and environment secrets. The framework includes a graphical user interface (GUI) with search capabilities, allowing actors to index and review the exfiltrated data.
Automated identification and extraction sequence
The threat cluster utilizes automated scanning methods. Likely analyzing host profile data including services such as Shodan or Censys—to identify publicly accessible Next.js deployments and probe them for RSC configuration vulnerabilities.
The unauthorized access sequence begins by identifying a web application running a vulnerable version of RSCs or a framework built on top of it. The threat actor crafts a malicious serialized input and sends it directly and a Server Function endpoint via an HTTP request, requiring no authentication. The server deserializes the input, leading to arbitrary code execution within the server-side Node.js process.
The NEXUS Listener framework
Once a vulnerable endpoint is identified, the NEXUS Listener framework operates without manual interaction. It functions as both a command-and-control (C2) platform and an analytics dashboard, organizing extracted data into a searchable dataset.
This detailed mapping of affected infrastructure, including services, cloud usage, and third-party integrations—elevates the risk of subsequent unauthorized access, social engineering efforts, or the sale of network access to other malicious actors.
Defense and remediation recommendations
Protecting systems from the UAT-10608 campaign requires a methodical approach. The primary remediation step is patching CVE-2025-55182 across all Next.js deployments, which remains a critical priority for exposed environments.
Security teams should also proactively rotate all potentially exposed credentials and API keys. Enforcing least-privilege access, restricting access to cloud metadata services, and avoiding SSH key reuse will limit lateral movement if a system is compromised. Implementing regular secrets scanning provides an additional layer of visibility to prevent credential exposure.
To identify potential UAT-10608 activity, defenders can monitor web application hosts for specific artifacts. Cisco Talos recommends investigating the following indicators:
Unexpected processes originating from
/tmp/with randomized dot-prefixed names.nohupinvocations in process listings that are disconnected from known application workflows.Unusual outbound HTTP/S connections from application containers to non-production endpoints.
Evidence of
__NEXT_DATA__exposing server-side secrets in rendered HTML.