Threat Actors Exploit Next.js To Harvest Credentials

Cisco Talos on April 3, 2026 disclosed an active automated campaign, UAT-10608, exploiting CVE-2025-55182 in React Server Components to steal credentials from Next.js web applications. Researchers found automated scans compromised 766 servers in 24 hours and observed a NEXUS Listener dashboard aggregating database credentials, SSH keys, cloud tokens and API keys. Organizations must patch vulnerable deployments, rotate exposed secrets, and audit cloud credentials immediately.
Key Points
- 1Exploits CVE-2025-55182 to compromise 766 Next.js servers within 24 hours
- 2Demonstrates automated scanning and NEXUS Listener dashboard centralizes large-scale credential harvesting
- 3Mandates immediate patching, credential rotation, and cloud-secret audits for Next.js deployments
Scoring Rationale
High-impact, timely disclosure from Cisco Talos documenting a large-scale automated campaign exploiting a known RCE. Scored high for novelty, scope, actionability, and credibility; relevance reduced slightly because this is security-focused rather than core ML/DS.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


