Security lapse lets researchers view React2Shell hackers’ dashboard

An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale.

Researchers from Cisco Systems’ Talos threat intelligence team who made the discovery said Thursday that the data harvested by an unattributed group they call UAT-10608 went to a password protected database behind a web application. However, that application was at one point exposed, allowing the researchers to see data that had been harvested from compromised systems.

Credentials, as well as Auth tokens and more, that have been stolen so far come from instances of AWS, Microsoft Azure, OpenAI, Anthropic, Nvidia NIM, OpenRouter, Tavily, payment processor Stripe, and GitHub.

The web application allows a user to browse all of the compromised hosts. A given host can then be selected, bringing up a menu with all of the exfiltrated data corresponding to each phase of the harvesting script – a bonus to the researchers. 

The discovery is a prime reason for IT pros with React servers in their environment who haven’t yet addressed this vulnerability to act quickly, before corporate credentials are stolen. To help blunt the attack, victims, and service providers with exposed and at-risk credentials, including AWS and GitHub, are being notified.

One notable statistic: The automated exploitation and harvesting framework was able to successfully compromise 766 hosts within a 24 hour period.

At risk are Next.js applications vulnerable to CVE-2025-55182, a pre-authentication remote code execution vulnerability known as React2Shell. A fix was issued four months ago.

Multi-phase attack

Once a host is compromised, the campaign deploys a multi-phase credential harvesting tool that collects usernames, passwords, SSH keys, cloud tokens, and environment secrets, at scale.

“The breadth of the victim set and the indiscriminate targeting pattern is consistent with automated scanning,” says Cisco Talos, “likely based on host profile data from services like Shodan, Censys, or custom scanners to enumerate publicly reachable Next.js deployments and probe them for the described React configuration vulnerabilities.”

The attacker crafts a malicious serialized payload designed to abuse the deserialization routine, a technique commonly used to trigger arbitrary object instantiation or method invocation on a server. The payload is sent via an HTTP request directly to a Server Function endpoint; no authentication is required. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process. 

The initial React exploit delivers a small dropper that fetches and runs a multi-phase harvesting script. Upon execution, the harvesting script goes through several phases to collect various data from the compromised system, which is then uploaded to a command and control server where it is loaded into a database. 

Industrial scale

“This is all about neglect and efficiency,” Gene Moody, field CTO at patch management provider Action1, told CSO . “React2Shell quickly met all the criteria attackers look for: public disclosure, reliable exploitation, and internet-facing exposure. That combination effectively guaranteed widespread abuse. Since then, multiple campaigns have automated the full [attack] lifecycle [of], scanning, exploitation, and credential harvesting, with little to no human intervention.”

Attackers operate at industrial scale, he added. Platforms like Shodan and Censys already index much of the internet, making vulnerable systems trivial to find. With the finite IP space, comprehensive scanning can be completed in well under an hour on even the most modest of modern computers/internet connections.

“There is no meaningful obscurity left for exposed systems,” he added. “To be honest, there never really was.”

‘Attack started when you failed to patch’

The result is predictable, Moody said: Unpatched systems are not ‘at risk’, they are in a queue. Discovery is fast, exploitation is fast, and compromise is often automated end-to-end. “React2Shell is a perfect example of how quickly attackers can turn a known issue into a sustained revenue stream, and have it persist for extended periods of time based on admin complacency,” he said.

“Even more concerning is what happens after initial access,” he added. “Credential harvesting extends the lifespan of the attack far beyond the original vulnerability. Even if systems are patched later, stolen credentials can enable persistence, lateral movement, and, as a result, means the attack started when you failed to patch. One mistake can turn into every mistake in an instant, with information like this in the wrong hands. The damage could be absolute, with no recovery possible. Businesses have failed for less. When it ends will certainly not be when the patch is applied, unless you got it before being compromised.

“Treat your patching like a toothache,” he advised. “At first sign, address it as fast as possible, or only misery follows.”