A large-scale cyberattack has compromised at least 766 web servers running the popular Next.js framework. The attackers exploited a critical security flaw, tracked as CVE-2025-55182, to steal sensitive credentials and data from the affected hosts.

The operation was identified by Cisco Talos, the threat intelligence division of Cisco Systems. Researchers observed the attackers using the vulnerability, also known as “React2Shell,” as an initial point of entry. Once inside a system, they deployed scripts designed to harvest a wide array of confidential information.

Scope and Impact of the Data Theft

The stolen data includes database login credentials, private SSH keys, and secrets for Amazon Web Services (AWS) cloud accounts. The attackers also exfiltrated shell command histories, which can reveal system configurations and administrative actions. Furthermore, payment processing keys for the Stripe platform and access tokens for the GitHub code repository service were targeted.

This type of comprehensive credential harvest provides threat actors with significant leverage. They can use the stolen data to gain deeper access to corporate networks, manipulate or steal proprietary source code, initiate financial fraud, or compromise cloud infrastructure. The scale of the attack, affecting hundreds of hosts, indicates a coordinated effort aimed at maximizing the yield of valuable access keys.

Attribution and Technical Background

Cisco Talos has linked this campaign to a threat cluster it monitors internally. The group’s specific identity or location was not disclosed in the initial report. The vulnerability they exploited, CVE-2025-55182, resides within certain configurations of Next.js, a React-based framework used by developers to build web applications.

The flaw allows for remote code execution, meaning an attacker can run arbitrary commands on a vulnerable server without needing prior authentication. This makes it a severe and highly sought-after vector for initial compromise. Security advisories detailing the vulnerability and providing patches were previously released by the maintainers of Next.js.

Response and Mitigation Advice

Organizations using Next.js are urged to immediately verify that their deployments are updated to a patched version that addresses CVE-2025-55182. System administrators should also review server access logs for any suspicious activity dating back to the vulnerability’s public disclosure. Rotating all potentially exposed credentials, including API keys, database passwords, and cloud service secrets, is considered a critical step.

Security experts recommend implementing the principle of least privilege for all service accounts and routinely auditing access keys. Monitoring network traffic for unexpected outbound connections to unknown destinations can also help detect ongoing exfiltration attempts.

Looking Ahead

Cisco Talos is expected to release a more detailed technical analysis of the attack methodology and indicators of compromise. This will aid other security teams in hunting for similar breaches within their own environments. Law enforcement agencies may be notified given the scale of the credential theft. The incident underscores the persistent risk that unpatched, high-severity vulnerabilities in widely used software platforms pose to global internet security, prompting renewed calls for rapid patch deployment across the industry.

Source: Cisco Talos