Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts

A large-scale credential harvesting operation exploited CVE-2025-55182 (referred to as "React2Shell") to breach 766 Next.js hosts, targeting sensitive data including database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens. The campaign was attributed by Cisco Talos to an unidentified threat cluster. No specific timeline or geographic targeting was disclosed. The attack leveraged the vulnerability as an initial infection vector to extract credentials at scale. The full scope of the breach and affected organizations remain unspecified.