"The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning - likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities."
"UAT-10608 has been targeting public-facing web applications vulnerable to React2Shell to deliver a crafted payload via an HTTP request and execute arbitrary code on the server-side Node.js process."
"The attackers rely on an automated script for multi-phased data collection, iterating through running processes, JavaScript runtime, SSH, shell command history, tokens, cloud metadata APIs, Kubernetes service accounts, container configurations, and running process command lines."
A threat actor, tracked as UAT-10608, exploits critical vulnerabilities in Next.js applications to compromise systems and exfiltrate sensitive data. The actor uses automated scanning to identify vulnerable applications affected by CVE-2025-55182, allowing remote code execution. Following initial access, automated scripts and the Nexus Listener framework are employed to harvest credentials, cloud tokens, and SSH keys. At least 766 systems have been compromised, with over 10,000 files collected. The attack targets public-facing web applications, delivering crafted payloads via HTTP requests to execute arbitrary code.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]