high

Hackers exploit React2Shell in automated credential theft campaign

April 6, 2026·BleepingComputer·Threat Intel
reactnextjscve-2025-55182credential-theftweb-security

Automated Credential Theft Campaign Exploits React2Shell Vulnerability in Next.js Applications

TL;DR

Cybercriminals are conducting a large-scale automated campaign to steal credentials by exploiting React2Shell (CVE-2025-55182), a recently disclosed vulnerability affecting Next.js applications. Organizations running vulnerable Next.js deployments face immediate risk of credential compromise and should prioritize patching efforts.

What Happened

According to BleepingComputer's reporting, threat actors have launched an extensive automated campaign targeting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. The attackers are systematically scanning for and exploiting vulnerable instances to harvest user credentials at scale. This represents a rapid weaponization of the vulnerability, with criminals moving quickly from disclosure to active exploitation in production environments.

Technical Analysis

React2Shell (CVE-2025-55182) is a server-side vulnerability affecting Next.js, the popular React-based web framework. While specific technical details of the vulnerability weren't provided in the initial reporting, the "Shell" designation suggests it likely involves some form of command injection or remote code execution capability that attackers can leverage to gain unauthorized system access.

The automated nature of this campaign indicates attackers are using scanning tools to identify vulnerable Next.js applications across the internet, then deploying exploitation scripts to compromise discovered targets. This approach allows for massive scale – potentially affecting thousands of applications simultaneously.

The focus on credential theft suggests the vulnerability provides attackers with sufficient access to extract authentication data, whether from databases, configuration files, or active memory. This could include plaintext passwords, hashed credentials, API keys, or session tokens.

Impact & Who's Affected

Any organization running vulnerable versions of Next.js applications faces immediate risk. This includes:


The credential theft focus makes this particularly dangerous for applications handling sensitive user data or providing access to critical business systems. Compromised credentials could enable lateral movement within networks or serve as initial access vectors for more sophisticated attacks.

What You Should Do

Immediate Actions:


Defensive Measures:

The Bigger Picture

This campaign exemplifies how quickly modern threat actors can weaponize newly disclosed vulnerabilities. The shift toward automated, large-scale exploitation reflects the industrialization of cybercrime – attackers are optimizing for volume and efficiency rather than targeted precision.

For defenders, this reinforces the critical importance of rapid patch management and maintaining visibility into your application stack. The widespread adoption of frameworks like Next.js means a single vulnerability can have far-reaching impact across diverse organizations and industries.

Organizations should treat this as a reminder to implement defense-in-depth strategies that don't rely solely on keeping software updated, though patching remains the primary mitigation for this specific threat.

---
This analysis is based on initial reporting from BleepingComputer. Technical details may be updated as more information becomes available.

← All Threat IntelSource: BleepingComputer