React2Shell (CVE-2025-55182): The CVSS-10 Flaw Silently Draining API Keys from Financial Web Apps

A maximum-severity vulnerability in React Server Components — tracked as CVE-2025-55182 and coined "React2Shell" — is being actively mass-exploited by a threat actor designated UAT-10608. With a CVSS base score of 10.0, the flaw grants unauthenticated attackers arbitrary remote code execution on any Next.js application that has not applied the December 2025 patch. Cisco Talos researchers have confirmed at least 766 compromised hosts and more than 10,000 exfiltrated files — and the campaign is still running.

What Is React2Shell and Why Does It Score a Perfect 10?

React Server Components (RSC), introduced as a core feature in Next.js 13+, allow server-side rendering logic to run close to the data layer. CVE-2025-55182 exploits a path-traversal flaw in how RSC serializes file-system references during hydration, effectively allowing a remote, unauthenticated HTTP request to instruct the server to read and execute arbitrary files. No credentials, no session tokens, no special headers — a single crafted POST request is sufficient. Microsoft's Security Blog published a technical deep-dive in December 2025 confirming the attack primitive, which it described as "a direct pipeline from the public internet to the server's process memory." What makes this particularly dangerous is that many organizations deploy Next.js as a customer-facing portal or API gateway — exactly the kind of boundary-exposed application that sits in front of banking databases and payment processors.

Inside the UAT-10608 Campaign: Automated Pillaging at Scale

Once initial access is achieved, UAT-10608 deploys the Nexus Listener framework — a lightweight post-exploitation agent that enumerates every environment variable, configuration file, and secret store reachable from the compromised process. The exfiltration checklist is exhaustive: Stripe API keys, GitHub and GitLab personal access tokens, Telegram bot secrets, OpenAI and Anthropic API keys, database connection strings, Docker daemon configurations, Kubernetes service-account tokens, SSH private keys, and shell history files that often contain plaintext credentials typed by developers. Researchers who gained access to an exposed instance of UAT-10608's collection infrastructure confirmed that data from 766 hosts was already catalogued and searchable. The stolen secrets do not sit idle — they are immediately weaponised for cloud account takeover, enabling lateral movement into AWS, Azure, and GCP tenancies, and for supply-chain attacks that inject malicious code into downstream CI/CD pipelines.

The Saudi Financial Sector Exposure

Saudi banks and insurance companies have aggressively adopted Next.js for customer portals, open-banking API gateways, and internal dashboards over the past three years — a trend directly encouraged by SAMA's Open Banking Framework and the broader Saudi Vision 2030 digital transformation agenda. Any of these deployments running Next.js versions 13.0 through 14.2.28 (the last unpatched release) is trivially exploitable by UAT-10608's automated scanner. The SAMA Cyber Security Framework (CSCC v2.0) explicitly requires institutions to maintain a vulnerability management programme with defined SLAs for critical-severity findings (Control 3.3.5); a CVSS-10 flaw with active exploitation evidence should trigger a P1 emergency patch cycle within 24 hours. Furthermore, the NCA Essential Cybersecurity Controls (ECC-1:2018 / updated 2023 edition) require continuous monitoring of third-party libraries and frameworks — a requirement that Next.js upgrades fall squarely within. Under the Personal Data Protection Law (PDPL), a breach that exposes customer database connection strings carrying personal data triggers mandatory notification to the National Data Management Office (NDMO) within 72 hours of discovery.

Recommendations and Immediate Action Steps

1. Patch immediately. Upgrade all Next.js deployments to version 15.2.4 or later (the first release containing the full CVE-2025-55182 fix). If an immediate upgrade is not feasible, apply the WAF virtual patch published by Vercel and the community rule sets available for ModSecurity and AWS WAF.
2. Audit your environment variables. Assume that any Next.js application running a vulnerable version has had its .env file and process environment read. Rotate all API keys, database passwords, OAuth secrets, and cloud credentials exposed in those environments — regardless of whether you have confirmed IOCs.
3. Hunt for UAT-10608 IOCs. Cisco Talos published indicators including the Nexus Listener C2 IP ranges, the specific User-Agent strings used in the automated scanner, and SHA-256 hashes of the dropped agent binaries. Cross-reference these against your SIEM and EDR telemetry for the past 90 days.
4. Inventory your Next.js attack surface. Many financial institutions are unaware of shadow IT deployments of Next.js standing up in business units or by third-party developers. Run an authenticated scan across your IP ranges using Nuclei templates for CVE-2025-55182 to identify exposure before attackers do.
5. Validate your third-party risk controls. Under SAMA CSCC Control 3.7, institutions must assess the security posture of vendors who develop or host web applications on their behalf. If a managed-service provider or fintech partner is running a vulnerable Next.js deployment connected to your systems, the breach path runs through them.
6. Enable runtime application self-protection (RASP) or equivalent. For applications that cannot be patched immediately, deploying a RASP agent that detects anomalous file-system access from within the Node.js process provides a compensating control while the patch pipeline progresses.

Conclusion

React2Shell is not a theoretical research finding — it is an active, automated, industrial-scale credential harvesting operation that has already compromised hundreds of organisations. The combination of a perfect CVSS score, zero-click unauthenticated exploitation, and a C2 framework purpose-built for secret exfiltration makes it one of the most consequential web-application vulnerabilities of the year. For Saudi financial institutions, the stakes are amplified by SAMA, NCA, and PDPL obligations that create direct regulatory liability for unpatched critical vulnerabilities and undisclosed breaches. The window to act before your portal joins the 766-and-counting list is closing fast.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a React2Shell exposure audit across your web application estate.