ATTACKERS have exploited a critical flaw in the Next.js framework to harvest credentials from at least seven hundred and sixty six hosts, according to research shared by Cisco Talos. SecurityWeek reported that the operation tracked as UAT-10608 used automated scanning to find vulnerable deployments.
The vulnerability is identified as CVE-2025-55182 and carries a CVSS score of 10.0, reflecting an unauthenticated remote code execution issue in React Server Components. Versions 19.0 through 19.2.0 of packages such as react‑server‑dom‑webpack, react‑server‑dom‑parcel and react‑server‑dom‑turbopack are affected, as detailed in the React team’s advisory.
Once inside a system the attackers deployed scripts and the Nexus Listener framework to pull credentials, cloud tokens, SSH keys and environment secrets from compromised hosts. Talos observed that more than ten thousand files were gathered, including keys for AI platforms, payment processors and AWS services, with the Nexus Listener interface left exposed to reveal the scale of the breach.
The campaign began in early March and has persisted, with no additional threat actors identified beyond UAT-10608. The automated nature of the attacks allowed the adversary to scan large portions of the internet for exposed Next.js instances and install persistence mechanisms before exfiltrating data.
Defenders should immediately upgrade affected React packages to patched versions released after the advisory, and apply the mitigations outlined in the Cisco security advisory. Where React Server Components are not required, disabling the feature can reduce the attack surface, and organisations should scan external assets for any remaining vulnerable installations.
Maintaining an accurate software bill of materials, employing dependency‑scanning tools and enforcing least‑privilege principles on servers will help prevent similar intrusions. Rotating any credentials or keys that may have been harvested and monitoring for outbound connections to known Nexus Listener infrastructure are also essential steps.