Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

The cybersecurity world is facing one of the most precise and devastating attacks targeting modern web frameworks. Exploiting a vulnerability designated as CVE-2025-55182, a group of hackers managed to breach the security of 766 Next.js hosts, initiating a massive credential theft operation on an unprecedented scale. This event sheds new light on the vulnerability of React-based infrastructure, which until now was considered relatively secure when standard update procedures were followed.

The scale of the incident is particularly alarming because it strikes directly at the foundations of modern development. Next.js is currently the market standard for applications built on React, and its popularity means that any critical vulnerability becomes a "key to the kingdom" for criminal groups. According to the latest reports, including the Zscaler ThreatLabz 2026 VPN Risk Report, the automation of attack processes has drastically shortened human response time, making remote access the fastest path to a corporate security breach.

The React2Shell mechanism and anatomy of infection

A key element of this operation is the use of an infection vector known as React2Shell. The CVE-2025-55182 vulnerability allows attackers to perform remote code execution, which in practice means taking control over the Server-Side Rendering (SSR) process. The hackers do not limit themselves to merely disabling services – their goal is deep infiltration and exfiltration of an organization's most sensitive digital assets.

After gaining initial access, the attackers' scripts automatically search file systems for environment variables and configuration files. This operation, monitored by Cisco Talos, demonstrates a high degree of professionalism – the attackers know exactly where to look for keys that will allow them to further escalate privileges within complex microservices architectures.

The list of stolen data includes critical assets that can be used for a complete takeover of a company's infrastructure:

• SSH private keys – enabling free movement across production servers.
• Amazon Web Services (AWS) Secrets – opening the way to cloud resources, databases, and backups.
• Stripe API keys – providing access to payment systems and customer financial data.
• GitHub tokens – allowing for source code theft or injecting malicious code into repositories (Supply Chain Attack).
• Shell command history – facilitating the understanding of network topology and finding subsequent touchpoints.

Artificial Intelligence as an accelerator of breaches

The aforementioned Zscaler ThreatLabz 2026 report highlights a disturbing trend: AI has drastically narrowed the time window in which administrators can react to an incident. In the case of the attack on 766 Next.js hosts, hackers used automated tools for mass scanning and immediate data exfiltration. Traditional defense methods, relying on manual log analysis, become useless when the process from vulnerability detection to the theft of database credentials takes only seconds.

What we are observing with CVE-2025-55182 is an evolution of "credential harvesting" threats. Attackers are no longer looking for individual user passwords, but are targeting "machine identity." Seizing AWS secrets or GitHub tokens allows for operations within an organization's trusted perimeter, making intruder detection nearly impossible for standard antivirus systems.

Security teams from Cisco Talos indicate that the threat cluster responsible for this operation exhibits characteristics of a well-organized group with advanced technical backing. The exploitation of a specific vulnerability in Next.js suggests that the attackers conducted an in-depth analysis of the framework's source code before deciding to strike such a large number of targets simultaneously.

Systemic risk and the need to redefine protection

The exploitation of React2Shell is a warning signal for the entire technology industry. The problem is not just about code errors, but the way we manage secrets in modern applications. Storing Stripe or AWS keys in locations accessible to the web process (even if they are environment variables) ends in disaster when an RCE (Remote Code Execution) vulnerability occurs.

"Artificial intelligence has eliminated the human margin for error and transformed remote access into the fastest path to a security breach." – Zscaler ThreatLabz 2026 VPN Risk Report.

In the face of such sophisticated attacks, relying on traditional VPN solutions or simple firewalls is insufficient. Next.js infrastructure requires the implementation of a Zero Trust strategy at the application level. Every process, even those inside a container, should have the minimum necessary privileges, and access to secrets should be dynamically granted and rotated by external identity management systems.

Analysis of CVE-2025-55182 shows that hackers are increasingly bypassing the front-end, striking directly at the server logic layer of JavaScript frameworks. This is where the most valuable data is located, allowing for the monetization of the attack through financial theft (Stripe keys) or blackmail based on hijacked source code and customer data from SQL databases.

A new security paradigm for frameworks

The data theft from 766 hosts is likely just the tip of the iceberg. Attacks of this type tend to spread as other criminal groups begin implementing similar techniques based on React2Shell. Developers using Next.js must immediately verify their configurations and ensure they are not vulnerable to CVE-2025-55182 by updating to the most secure versions of the framework.

Key mitigation steps should include:

• Immediate rotation of all AWS secrets and GitHub tokens that may have been exposed to the server.
• Verification of logs for unusual calls in the shell command history.
• Implementation of "Secret Scanning" mechanisms to detect accidentally published keys in code or container images.
• Transitioning to a Keyless access model where possible, utilizing IAM roles instead of static API keys.

This incident proves that the era of "security through trust in the framework" has come to an end. In a world where AI assists attackers in finding and exploiting vulnerabilities in real-time, the only effective strategy is to assume that the system has already been compromised (Assume Breach). Only such an approach will allow for the limitation of damage in the event of subsequent critical vulnerabilities, which will certainly appear in the ecosystem of creative and development tools.