A large-scale credential theft campaign targeting a critical remote code execution flaw in Next.js has compromised hundreds of hosts and stolen a broad range of cloud and service credentials from affected organisations.
What Happened
CVE-2025-55182 is a CVSS 10.0 remote code execution vulnerability in Next.js React Server Components, specifically in the App Router component introduced in Next.js 13. Cisco Talos researchers attributed the campaign to threat cluster UAT-10608 and documented the attack technique as “React2Shell,” which exploits the RSC (React Server Component) data serialisation layer to inject and execute server-side code without authentication.
Attackers deployed the NEXUS Listener framework on compromised hosts, which automated the harvesting of secrets from the environment. Stolen credentials included AWS access keys and IAM session tokens (collected via the AWS Instance Metadata Service endpoint), SSH private keys, GitHub personal access tokens, npm tokens, Stripe API keys, database connection strings, Docker container configurations, and cloud IAM role-associated temporary credentials from AWS, Google Cloud, and Microsoft Azure. At least 766 hosts across multiple cloud regions and enterprise environments were confirmed compromised before Talos published its report.
The campaign used automated scanning via Shodan and Censys to identify exposed Next.js deployments, making target selection indiscriminate and rapid. The attackers had no interest in persistence — NEXUS Listener’s goal was fast credential exfiltration, not long-term access. Source: The Hacker News
Why This Matters for Canadian Organizations
Next.js is one of the most widely used web application frameworks in Canada. Canadian technology companies, digital agencies, e-commerce operators, government digital services, and financial services firms all deploy Next.js for public-facing applications. Many of these deployments are self-hosted on AWS, Azure, or GCP — not behind Vercel’s managed platform — and therefore directly exposed to this vulnerability when running affected versions.
The category of credentials stolen represents a serious secondary risk beyond the initial compromise. AWS IAM credentials and GitHub tokens give attackers access to cloud infrastructure, source code repositories, CI/CD pipelines, and the ability to deploy malicious builds. Database connection strings expose customer personal information, which under PIPEDA triggers mandatory breach notification obligations to the Office of the Privacy Commissioner of Canada. An organisation whose Next.js host was hit by UAT-10608 and whose AWS credentials were stolen faces potential exposure across its entire cloud environment — not just the compromised server.
Canadian development teams using GitHub Actions or other CI/CD tooling frequently embed cloud credentials and API tokens in environment variables on the servers running their Next.js deployments, treating the application server as a trusted environment. This campaign demonstrates the risk of this practice: a single RCE flaw in an application framework becomes a path to the entire cloud estate.
What to Do
Upgrade Next.js to the patched version immediately — review the Next.js security advisory for the specific fixed release addressing CVE-2025-55182. Audit all environment variables on Next.js servers and rotate cloud credentials, API keys, and tokens without delay. Check AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs for unusual API calls, privilege escalation events, or credential usage from unexpected IP addresses in the period since the vulnerability was disclosed. Remove long-lived IAM credentials from application servers and replace them with short-lived role-based credentials accessed via instance metadata. If your organisation uses self-hosted Next.js in production, treat this as a confirmed breach investigation until you can demonstrate the host was running a patched version or was not internet-accessible during the exploitation window.
