A New Threat Cluster Emerges With Automated Precision
Researchers at Cisco Talos have detailed an ongoing, cross-industry credential theft campaign attributed to a previously untracked threat cluster designated UAT-10608. The operation targets publicly accessible Web applications vulnerable to a critical pre-authentication remote code execution flaw known as React2Shell, formally tracked as CVE-2025-55182. Once a foothold is established, attackers hand off nearly all subsequent activity to an automated framework called NEXUS Listener, which harvests and organizes stolen data at scale.
According to the report published by Cisco Talos analysts Asheer Malhotra and Brandon White, the campaign had already resulted in the compromise of at least 766 hosts across multiple geographic regions and cloud providers at the time of writing — a number that underscores the industrial efficiency with which UAT-10608 operates.
Understanding CVE-2025-55182 and the React2Shell Vulnerability
React2Shell affects React Server Components (RSCs) and any framework built on top of them, most notably Next.js. The vulnerability was initially discovered and then widely exploited late last year. Its core weakness lies in the way affected endpoints handle inbound HTTP requests: server-side code deserializes payloads without adequate validation or sanitization, enabling attackers to achieve arbitrary code execution on the server-side Node.js process.
Critically, exploitation requires no authentication. An attacker simply crafts a malicious serialized payload and sends it directly to a Server Function endpoint via an HTTP request. The server processes the payload without any credential check, immediately granting the attacker code execution in the application's runtime environment.
"The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process." — Cisco Talos analysts Asheer Malhotra and Brandon White
How the Attack Unfolds: A Partially Automated Sequence
The campaign's attack chain is distinguished by the limited degree of manual effort required from the threat actors. The process breaks down into two distinct phases:
- Initial exploitation (manual): Attackers identify publicly reachable Next.js deployments and probe them for React configuration vulnerabilities. The researchers believe this reconnaissance is likely driven by automated scanning using services such as Shodan, Censys, or custom-built scanners to enumerate potential victims. A malicious serialized payload is then crafted and delivered to a vulnerable Server Function endpoint via an unauthenticated HTTP request.
- Automated exfiltration (NEXUS Listener): After initial access is confirmed, human operators step back and NEXUS Listener takes over entirely. The framework autonomously extracts credentials, SSH keys, cloud tokens, and environment secrets from the compromised system and transmits them to attacker-controlled infrastructure.
The researchers described this division of labor as consistent with skilled threat actors who prioritize maximizing the breadth of their victim pool while minimizing operational overhead.
"The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning — likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities." — Cisco Talos
NEXUS Listener: More Than a Collection Tool
NEXUS Listener is far more sophisticated than a basic data-exfiltration utility. It functions simultaneously as a command-and-control (C2) platform and an analytics dashboard, complete with a graphical user interface (GUI) that provides in-depth statistics and search capabilities. This design allows operators to sift through stolen data as though it were a structured intelligence database rather than a raw dump of files.
The researchers noted that this architecture dramatically elevates the operational value of each breach:
"This structured data collection significantly enhances the operational value of the breach, effectively turning stolen credentials into a searchable intelligence dataset." — Cisco Talos
By providing a detailed map of victim infrastructure — including running services, cloud usage patterns, and third-party integrations — NEXUS Listener opens the door to a wide range of follow-on attack scenarios. These include:
- Further intrusion into connected systems and cloud environments
- Targeted social engineering campaigns using harvested personal or organizational data
- Sale of verified access credentials to other threat actors on criminal marketplaces
Scope and Targeting
The campaign does not appear to focus on any single industry vertical or geographic region. The indiscriminate nature of the targeting suggests that UAT-10608 is primarily interested in casting the widest possible net, compromising any organization running a vulnerable Next.js deployment regardless of sector. Victims span multiple geographic regions and cloud providers, reflecting both the global prevalence of Next.js as a Web framework and the effectiveness of automated scanning in identifying exposed endpoints.
Defensive Recommendations from Cisco Talos
Cisco Talos outlined several concrete steps that organizations can take to defend against UAT-10608 and similar campaigns:
- Patch CVE-2025-55182 immediately across all Next.js deployments. The researchers noted that attacks are still ongoing, indicating that many affected organizations have yet to apply the fix.
- Rotate all potentially exposed credentials and API keys, particularly those stored in environment files or accessible from the server-side runtime.
- Enforce least-privilege access principles to limit the blast radius of any future compromise.
- Avoid SSH key reuse across systems to prevent lateral movement using harvested keys.
- Restrict access to cloud metadata services to reduce the risk of cloud token theft.
- Implement secrets scanning in CI/CD pipelines and source repositories.
- Monitor for anomalous activity on Web application hosts, including unusual outbound connections and unexpected process spawning.
Specific Indicators of UAT-10608 Activity
Security teams investigating potential compromise can look for the following artifacts on Web application hosts, as identified by Cisco Talos:
- Unexpected processes spawned from /tmp/ with randomized dot-prefixed names
- nohup invocations in process listings not associated with known application workflows
- Unusual outbound HTTP/S connections from application containers to non-production endpoints
- Evidence of __NEXT_DATA__ containing server-side secrets in rendered HTML
Given the campaign's reliance on an unpatched and widely deployed vulnerability, the ease of unauthenticated exploitation, and the powerful automation behind NEXUS Listener, organizations running Next.js applications should treat remediation of CVE-2025-55182 as an urgent priority rather than a routine maintenance task.
Source: Dark Reading