Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

The CVE‑2025‑55182 vulnerability stems from a flaw in React Server Components and the Next.js App Router, granting attackers full remote code execution when a vulnerable endpoint is reachable. Because Next.js powers a growing share of modern web applications, many organizations expose these services without rigorous patch management, creating a fertile attack surface. The 10.0 CVSS rating underscores the urgency, yet the rapid adoption of Next.js often outpaces security teams' ability to inventory and remediate vulnerable instances.

Cisco Talos attributes the campaign to the UAT‑10608 cluster, which leverages an automated dropper to infiltrate compromised hosts and execute a sophisticated harvesting script. The script extracts a wide array of secrets—SSH private keys, cloud provider metadata, container configurations, and third‑party API tokens—then uploads them to the NEXUS Listener V3 interface. This centralized GUI not only streamlines credential access for the operators but also provides analytics on the scale of the breach, turning raw data into actionable intelligence for further exploitation or resale on underground markets.

For enterprises, the incident serves as a stark reminder to enforce defense‑in‑depth controls. Immediate steps include patching Next.js instances, deploying secret‑scanning tools, enforcing least‑privilege IAM policies, and upgrading AWS instances to IMDSv2. Regular rotation of SSH keys and API tokens, combined with continuous monitoring for anomalous outbound traffic, can mitigate the risk of credential harvesting. As supply‑chain attacks become more prevalent, securing the underlying framework of web applications is essential to protect both proprietary data and the broader ecosystem of integrated services.