Cisco Talos reported that UAT-10608 exploited the React2Shell vulnerability, tracked as CVE-2025-55182, to gain remote code execution on publicly reachable Next.js applications and harvest credentials at scale across at least 766 hosts.
The operational lesson is not limited to patching a software flaw. Talos’ findings show how direct internet exposure of application servers, combined with weak network isolation and excessive credential availability on hosts, turned an application-layer bug into broad infrastructure compromise. Post-compromise scripts collected environment variables, SSH keys, shell history, Kubernetes service account tokens, Docker configuration, cloud metadata credentials and third-party API secrets, creating clear paths for follow-on attacks.
The incident reinforces several governance and cloud security lessons: internet-facing application entry points require protective controls in front of the workload, exposed services must be continuously mapped and credential access on compute must be constrained. SkySiege would assess whether vulnerable applications are directly reachable from the internet, whether firewalls and security groups adequately restrict access, whether instance metadata services are hardened and whether exposed workloads can yield secrets or privilege escalation paths after compromise.
| What’s happening | Cause | Action |
|---|---|---|
| Internet-facing Next.js applications became the initial breach point | Talos assessed UAT-10608 targeted publicly reachable Next.js deployments vulnerable to CVE-2025-55182, likely identified through automated scanning of exposed hosts | Validate all application entry points are mapped and that no application server is directly reachable from the internet without protective network controls. SkySiege would assess public exposure across cloud assets, review security groups, firewall rules, public IP assignments, load balancer paths and identify workloads reachable from the internet |
| A software vulnerability escalated into host-level compromise | The React Server Components and Next.js App Router flaw enabled remote code execution, allowing the attacker to deploy the NEXUS Listener framework and harvesting scripts | Validate vulnerable framework versions are identified and remediated quickly, especially for internet-exposed workloads. SkySiege would assess exposed application footprints, correlate reachable services to vulnerable software where evidence exists and flag high-risk internet-facing application architectures |
| Sensitive secrets were available on compromised hosts | Talos observed theft of environment variables, JSON runtime environment data, database credentials, Stripe keys, GitHub and GitLab tokens, webhook secrets, Telegram bot tokens and other application secrets | Validate secrets are not stored broadly in environment variables or accessible plaintext locations on compute instances. SkySiege would assess where workloads may expose secrets through configuration patterns, IAM attachment and reachable compute roles, then identify systems where compromise would expose high-value credentials |
| Cloud privilege could be expanded through metadata access | The harvesting scripts queried the Instance Metadata Service for AWS, GCP and Azure to obtain role-associated temporary credentials | Validate metadata services are hardened and cloud roles follow least privilege. For AWS, confirm IMDSv2 enforcement and review attached instance roles. SkySiege would assess compute instances for metadata hardening posture, attached IAM roles and whether compromised hosts could obtain excessive cloud permissions |
| Lateral movement and persistence opportunities were created | Attackers collected SSH private keys, authorized_keys, shell history, Kubernetes service account tokens, Docker container details, running processes, mounts, ports and network configuration | Validate whether workloads expose credentials or operational artefacts that enable lateral movement. SkySiege would assess SSH key reuse risk, container and Kubernetes access paths, service account exposure and whether host compromise can reveal internal topology or administrative access |
| The attackers gained a usable map of victim infrastructure | Talos noted the stolen dataset provided visibility into services, cloud providers, configurations and third-party integrations, increasing value for follow-on attacks and access resale | Validate that exposed systems do not reveal unnecessary architectural data and that segmentation limits blast radius. SkySiege would assess external exposure, internal trust assumptions and how compromised workloads could disclose infrastructure structure, integrations and business-critical dependencies |
| Detection likely lagged behind automated compromise | The campaign was broad, indiscriminate and automated, with a mature NEXUS Listener V3 platform aggregating stolen data and statistics from many hosts | Validate whether detection exists for mass exploitation attempts, suspicious metadata queries, secret harvesting behaviour and outbound exfiltration from application hosts. SkySiege would assess logging coverage, cloud control visibility and where snapshot evidence suggests weak detective controls around internet-exposed workloads |
This incident shows how an application-layer vulnerability becomes an enterprise-wide cloud risk when internet exposure, weak segmentation and permissive credential design coexist. The key failure was not only the presence of a critical bug in a widely deployed framework, but the fact that vulnerable application hosts were directly reachable and able to yield infrastructure secrets immediately after compromise.
From a detection and visibility standpoint, this creates a serious gap. If organisations do not continuously map every public endpoint, they may not know which workloads are externally reachable, which are running exploitable software or which instances can expose cloud credentials through metadata services. That is a governance problem as much as a security problem: ownership of internet-facing services, firewalling standards and secret handling controls were either absent or inconsistently enforced.
The business impact is material. Stolen database credentials, source control tokens, payment platform keys and cloud access can drive service disruption, fraud, downstream customer impact and costly incident response. Where compromised hosts expose third-party integrations or regulated data paths, legal and compliance exposure can follow. Reputationally, indiscriminate compromise of public-facing applications signals weak perimeter governance and poor workload hardening, both of which are significant diligence concerns in cloud-heavy environments.
