[{"data":1,"prerenderedAt":117},["ShallowReactive",2],{"article-slug-security-lapse-exposes-react2shell-attackers-credential-harvesting-dashboard":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":35,"sources":39,"events":50,"mitre_techniques":51,"mitre_mitigations":64,"d3fend_countermeasures":82,"iocs":83,"cyber_observables":84,"tags":101,"extract_datetime":106,"article_type":107,"impact_scope":108,"pub_date":115,"reading_time_minutes":116,"createdAt":106,"updatedAt":106},"3633d9e2-3e4e-4820-ad6b-9e062b55add8","security-lapse-exposes-react2shell-attackers-credential-harvesting-dashboard","Researchers Gain Access to Hacker Dashboard in React2Shell Campaign","Security Lapse Exposes React2Shell Attackers' Credential Harvesting Dashboard","Researchers at Cisco Talos gained access to the operational dashboard of a threat group, UAT-10608, that is actively exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. A security lapse in the attackers' own infrastructure left a web application fronting their stolen data collection exposed. This allowed Talos to view a trove of stolen credentials, API keys, and access tokens harvested from hundreds of compromised servers, including credentials for AWS and GitHub. Talos is now notifying the affected victims.","## Executive Summary\nIn a remarkable turn of events, researchers from **[Cisco Talos](https://www.talosintelligence.com/)** gained direct insight into a large-scale credential harvesting campaign by accessing the attackers' own backend infrastructure. A threat group, tracked as **UAT-10608**, was found actively exploiting **CVE-2025-55182**, a critical pre-authentication remote code execution (RCE) vulnerability in Next.js applications known as \"React2Shell.\" The group's automated framework was compromising hundreds of hosts per day, exfiltrating credentials, API keys, and tokens to a database. However, a security misconfiguration by the attackers left their web-based dashboard for this database unprotected, allowing Talos researchers to observe the stolen data in real-time. The data included sensitive credentials for services like **[Amazon Web Services (AWS)](https://aws.amazon.com/)** and **[GitHub](https://github.com/)**. Talos is now in the process of notifying the hundreds of victim organizations.\n\n## Threat Overview\nThe campaign centers on the mass exploitation of **CVE-2025-55182 (React2Shell)**, a vulnerability disclosed four months prior. This RCE flaw in Next.js allows an unauthenticated attacker to execute arbitrary code by sending a malicious serialized payload to a Server Function endpoint.\n\nThe threat group **UAT-10608** built an automated system to scan the internet for vulnerable servers and exploit them. The exploit payload was designed to harvest sensitive information from the compromised hosts, such as login credentials, environment variables, API keys, and access tokens. This data was then sent to a central database controlled by the attackers. In a display of poor operational security, the attackers' web application used to view and manage this stolen data was left exposed to the internet without a password, granting the Talos researchers a direct view into their operation.\n\n## Technical Analysis\n*   **Initial Access:** [`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/). The entire campaign relies on the mass exploitation of the public-facing React2Shell vulnerability, **CVE-2025-55182**.\n*   **Execution:** The vulnerability allows for remote code execution, likely through a deserialization flaw. The attackers' payload would then execute commands on the server.\n*   **Credential Access:** The primary goal of the post-exploitation payload was credential harvesting. This could involve multiple techniques, such as [`T1552.001 - Credentials In Files`](https://attack.mitre.org/techniques/T1552/001/) to read configuration files, or [`T1552.005 - Cloud API Credentials`](https://attack.mitre.org/techniques/T1552/005/) to steal AWS or other cloud provider keys.\n*   **Collection:** The harvested data was collected and sent to the attackers' database.\n\n## Impact Assessment\nThe impact is widespread, affecting at least 766 hosts compromised in a single 24-hour period. Each compromised server represents a significant breach. The theft of **AWS** and **GitHub** credentials is particularly damaging, as these can be used to compromise entire cloud environments, access and poison source code repositories, or launch further supply chain attacks. For the victim organizations, this incident means not only is their web server compromised, but their core cloud and development infrastructure is also at immediate risk. The swift notification by Talos is critical to help these victims respond before the stolen credentials can be fully abused.\n\n## Detection & Response\n*   **Web Server & WAF Logs:** Monitor logs for HTTP requests to Server Function endpoints that contain suspicious serialized payloads. Signatures for **CVE-2025-55182** should be applied to Web Application Firewalls (WAFs).\n*   **Vulnerability Scanning:** The most effective detection is to actively scan for and identify vulnerable Next.js applications in your environment.\n*   **Credential Leakage Detection:** For victims, it is crucial to use the information provided by Talos to immediately rotate all exposed keys and credentials. Services like GitHub's secret scanning can also help detect committed credentials.\n*   **Incident Response:** Any server found to be vulnerable to React2Shell should be considered fully compromised. It should be isolated, forensically analyzed, and rebuilt from a known-good state. All credentials and secrets on the machine must be rotated.\n\n## Mitigation\n*   **Patch Immediately:** The primary mitigation is to patch the React2Shell vulnerability (**CVE-2025-55182**) in all Next.js applications. Given that the flaw was disclosed four months ago, any unpatched system is at extreme risk.\n*   **Secret Management:** Avoid storing secrets, API keys, and credentials in plaintext configuration files or environment variables on a web server. Use a dedicated secrets management solution like HashiCorp Vault or AWS Secrets Manager. This aligns with **[M1043 - Credential Access Protection](https://attack.mitre.org/mitigations/M1043/)**.\n*   **Egress Filtering:** Restrict outbound internet access from web servers. Servers should only be allowed to connect to specific, required endpoints, which can prevent exploit payloads from exfiltrating data to an attacker's database.\n*   **Web Application Firewall (WAF):** Deploy a WAF with rules specifically designed to block deserialization attacks and other attempts to exploit React2Shell. This is a form of **[M1050 - Exploit Protection](https://attack.mitre.org/mitigations/M1050/)**.","😂 OPSEC FAIL: Hackers exploiting React2Shell (CVE-2025-55182) left their credential harvesting dashboard exposed. Cisco Talos gained access, revealing stolen AWS & GitHub keys from hundreds of victims. #React2Shell #CyberSecurity #Hacking #OpSec","Cisco Talos researchers accessed a hacker group's dashboard used to collect credentials stolen by exploiting the React2Shell vulnerability (CVE-2025-55182).",[13,14,15],"Vulnerability","Threat Intelligence","Threat Actor","high",[18,21,25,28,32],{"name":19,"type":20},"UAT-10608","threat_actor",{"name":22,"type":23,"url":24},"Cisco Talos","security_organization","https://www.talosintelligence.com/",{"name":26,"type":27},"Next.js","product",{"name":29,"type":30,"url":31},"Amazon Web Services (AWS)","company","https://aws.amazon.com/",{"name":33,"type":30,"url":34},"GitHub","https://github.com/",[36],{"id":37,"kev":38},"CVE-2025-55182",false,[40,45],{"url":41,"title":42,"friendly_name":43,"website":44},"https://www.csoonline.com/article/2126239/security-lapse-lets-researchers-view-react2shell-hackers-dashboard.html","Security lapse lets researchers view React2Shell hackers' dashboard","CSO Online","csoonline.com",{"url":46,"title":47,"friendly_name":48,"website":49},"https://www.action1.com/blog/react2shell-vulnerability-actively-exploited-in-the-wild/","React2Shell Vulnerability (CVE-2025-55182) Actively Exploited in the Wild","Action1","action1.com",[],[52,55,58,61],{"id":53,"name":54},"T1190","Exploit Public-Facing Application",{"id":56,"name":57},"T1552.001","Credentials In Files",{"id":59,"name":60},"T1552.005","Cloud API Credentials",{"id":62,"name":63},"T1005","Data from Local System",[65,70,74,78],{"id":66,"name":67,"description":68,"domain":69},"M1051","Update Software","The most important mitigation is to patch the CVE-2025-55182 vulnerability in all Next.js applications.","enterprise",{"id":71,"name":72,"description":73,"domain":69},"M1043","Credential Access Protection","Use dedicated secrets management solutions instead of storing credentials in files or environment variables on web servers.",{"id":75,"name":76,"description":77,"domain":69},"M1050","Exploit Protection","Implement a Web Application Firewall (WAF) with rules to detect and block deserialization attacks targeting this vulnerability.",{"id":79,"name":80,"description":81,"domain":69},"M1037","Filter Network Traffic","Apply strict egress filtering to web servers to prevent them from connecting to unauthorized external databases or C2 servers.",[],[],[85,91,96],{"type":86,"value":87,"description":88,"context":89,"confidence":90},"url_pattern","/api/server-function-endpoint","The attack targets a Server Function endpoint in Next.js. Look for POST requests to such endpoints with unusual or large serialized data in the body.","Web server logs, WAF logs","medium",{"type":92,"value":93,"description":94,"context":95,"confidence":16},"process_name","node","The Next.js process. Monitor for this process spawning child processes (like `sh`, `bash`, `curl`, `wget`) used to execute commands or exfiltrate data.","EDR, Process monitoring logs",{"type":97,"value":98,"description":99,"context":100,"confidence":16},"network_traffic_pattern","Outbound connections from web server to unknown IPs","A compromised server may try to connect to an attacker's C2 or data collection server. Any outbound traffic not part of normal application function is suspicious.","Firewall logs, Netflow",[102,37,26,22,103,104,105],"React2Shell","vulnerability","credential harvesting","OPSEC","2026-04-04T15:00:00.000Z","NewsArticle",{"geographic_scope":109,"industries_affected":110,"other_affected":113},"global",[111,112],"Technology","Other",[114],"Any organization using vulnerable Next.js applications","2026-04-04",4,1775683840799]