766 Next.js Servers Breached via React2Shell in Hours

Published April 13, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

A threat cluster tracked as UAT-10608 exploited CVE-2025-55182 (React2Shell), a CVSS 10.0 flaw in React Server Components, to breach 766 Next.js servers and harvest AWS keys, Stripe secrets, AI platform tokens, and database credentials at industrial scale. The vulnerability was patched in December 2025, but hundreds of servers remained exposed four months later.

Bottom Line: Any organization running Next.js 15.x or 16.x should verify patch status immediately and rotate all credentials accessible to the application runtime, as automated scanning tools are actively targeting unpatched deployments.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algeria’s growing web development community increasingly uses Next.js and React for government portals, fintech, and e-commerce platforms. Any unpatched deployments are immediately exploitable by the same automated scanning tools.

Infrastructure Ready?
Partial
▾

Algerian hosting providers and cloud deployments exist but patch management maturity varies significantly across organizations, making prolonged exposure likely.

Skills Available?
Partial
▾

Algerian developers are proficient in React/Next.js, but dedicated application security expertise for supply chain vulnerability triage remains limited outside major enterprises.

Action Timeline
Immediate
▾

This is an actively exploited vulnerability with automated tooling. Any delay in patching multiplies risk.

Key Stakeholders
CTOs, DevOps engineers, application security teams

Decision Type
Tactical
▾

This requires immediate operational response — patching, credential rotation, and detection rule deployment — rather than long-term strategic planning.

Quick Take: Any organization in Algeria running Next.js applications should audit their React and Next.js versions today and patch immediately. Rotate all cloud credentials, API keys, and database passwords accessible to the application runtime. Implement WAF rules as a stopgap while scheduling upgrades.

The Vulnerability That Scores a Perfect 10

In December 2025, the React team disclosed CVE-2025-55182 — a pre-authentication remote code execution flaw in React Server Components rated CVSS 10.0, the maximum severity score. Dubbed “React2Shell” by researchers, the vulnerability stems from insecure deserialization within the Flight protocol that React Server Components use to serialize data between client and server. A single malicious HTTP request to an affected Server Function endpoint is enough to execute arbitrary code on the target machine, with no credentials required.

The flaw affects React versions 19.0 through 19.2.0 and Next.js releases across the 15.x and 16.x branches. Patches were issued on December 4, 2025 — React 19.0.1, 19.1.2, and 19.2.1, along with multiple Next.js point releases. Four months later, hundreds of production servers remain unpatched, and attackers have industrialized the exploitation pipeline.

UAT-10608 and the NEXUS Listener Framework

In April 2026, Cisco Talos published a detailed analysis of a large-scale automated credential harvesting campaign carried out by a threat cluster tracked as UAT-10608. The operation compromised at least 766 hosts across multiple geographic regions and cloud providers in a rapid, automated sweep.

The attack chain begins with automated scanning — likely leveraging host profile data from services such as Shodan or Censys to enumerate publicly reachable Next.js deployments. Once a vulnerable target is identified, the attacker sends a crafted HTTP request exploiting CVE-2025-55182 to gain remote code execution. A multi-phase dropper is then deployed, beginning with a shell script dropped into `/tmp/` with a randomized, dot-prefixed filename designed to evade casual detection.

All stolen data flows to a command-and-control server running a custom web interface called NEXUS Listener. The GUI provides the operator with pre-compiled statistics on harvested credentials and compromised hosts, turning mass exploitation into a searchable database of stolen secrets.

What the Attackers Harvest

The breadth of data exfiltrated from each compromised host is staggering. According to Talos, the dropper harvests:

Cloud credentials: AWS access key and secret pairs, Azure subscription credentials, and cloud instance metadata (IMDS) tokens
Payment processing keys: Stripe live secret keys capable of initiating real transactions
AI platform tokens: API keys for OpenAI, Anthropic, NVIDIA NIM, and OpenRouter
Source control: GitHub personal access tokens and GitLab tokens
Infrastructure secrets: SSH private keys, Kubernetes tokens, Docker configurations, and database connection strings with cleartext passwords
Operational intelligence: Shell command history and runtime environment variables

For organizations running Next.js applications in cloud environments, a single compromised server can expose the keys to every connected service — from payment processing to AI inference to source code repositories.

Why Four Months of Exposure Matters

The vulnerability was disclosed and patched in December 2025. The mass exploitation campaign Talos documented occurred in early 2026. This four-month gap highlights a persistent pattern in enterprise security: critical patches sit unapplied while attackers automate exploitation at scale.

Microsoft’s security blog published a defending guide on December 15, 2025. Wiz and Palo Alto Unit 42 released their own analyses. Despite widespread awareness in the security community, hundreds of production deployments remained exposed.

The indiscriminate nature of the campaign — scanning broadly rather than targeting specific organizations — means any internet-facing Next.js application running an unpatched version is a viable target regardless of its size, industry, or geography.

Detection and Remediation

Talos identifies several indicators that defenders should investigate immediately:

Unexpected processes spawned from `/tmp/` with randomized dot-prefixed names (e.g., `/tmp/.e40e7da0c.sh`)
`nohup` invocations in process listings not associated with known application workflows
Unusual outbound HTTP/S connections from application containers to non-production endpoints
Evidence of `__NEXT_DATA__` containing server-side secrets in rendered HTML

The primary remediation is straightforward: upgrade to patched versions. For Next.js, the fixed releases are 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. For React, upgrade to 19.0.1, 19.1.2, or 19.2.1. Organizations that cannot patch immediately should implement WAF rules to block malicious serialized payloads targeting Server Function endpoints and audit all environment variables accessible to the application runtime.

Beyond patching, any organization that ran a vulnerable version should rotate all credentials that were accessible to the application’s runtime environment — including cloud keys, API tokens, database passwords, and SSH keys.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

What is React2Shell and why is it rated CVSS 10.0?

React2Shell (CVE-2025-55182) is a pre-authentication remote code execution vulnerability in React Server Components caused by insecure deserialization in the Flight protocol. It scores the maximum CVSS 10.0 because it requires no credentials, no user interaction, and allows full system compromise through a single HTTP request. Patches have been available since December 4, 2025.

How can organizations detect if they have been compromised by UAT-10608?

Defenders should look for unexpected processes spawned from `/tmp/` with randomized dot-prefixed filenames, unusual `nohup` invocations, and outbound connections to unknown endpoints from application containers. Cisco Talos recommends auditing whether `__NEXT_DATA__` in rendered HTML contains server-side secrets, which would indicate the application was leaking sensitive environment variables.

Which credentials should be rotated after patching a vulnerable Next.js deployment?

All credentials accessible to the application’s runtime environment must be rotated, including AWS access keys, Azure credentials, Stripe API keys, GitHub and GitLab tokens, SSH private keys, database connection strings, and any AI platform API keys (OpenAI, Anthropic, etc.). The UAT-10608 campaign harvests every credential type available in the process environment.