Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

2026-04-02

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

This article covers a large-scale credential harvesting campaign exploiting CVE-2025-55182, a critical Next.js vulnerability, to compromise 766 hosts across multiple cloud providers.

•CVE-2025-55182 (CVSS 10.0) is a critical flaw in React Server Components and the Next.js App Router that enables remote code execution
•Threat cluster UAT-10608, tracked by Cisco Talos, deploys the NEXUS Listener framework post-compromise to exfiltrate and view stolen data via a web-based GUI
•A multi-phase harvesting script collects environment variables, SSH private keys, shell history, Kubernetes service account tokens, Docker configs, and cloud IAM credentials from AWS, GCP, and Azure
•Stolen data includes Stripe API keys, AI platform keys (OpenAI, Anthropic, NVIDIA NIM), GitHub/GitLab tokens, SendGrid/Brevo secrets, and database connection strings

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture