766 Next.js Hosts Compromised Through CVE-2025-55182

What Happened

Threat cluster UAT-10608 exploited CVE-2025-55182, a critical vulnerability in Next.js applications, compromising at least 766 hosts. The attackers used an automated credential harvesting tool called NEXUS Listener (version 3) to extract credentials from vulnerable systems. According to Cisco Talos research, the operation targeted exposed Next.js applications to steal credentials, potentially accessing cloud infrastructure and internal systems.

The vulnerability has a CVSS score of 10.0, indicating maximum severity. This flaw provided direct access to application internals, and attackers used automated tools to identify vulnerable hosts on a large scale.

Timeline

While specific compromise dates are unclear, the attack pattern is evident:

• Initial reconnaissance: Attackers used automated scanning tools like Shodan to identify vulnerable Next.js applications.
• Exploitation phase: CVE-2025-55182 was exploited to gain initial access.
• Credential harvesting: NEXUS Listener extracted credentials from compromised systems.
• Ongoing operation: The use of NEXUS Listener V3 suggests ongoing refinement of attack tools.

The automation of this attack—systematic scanning, exploitation, and data exfiltration—demonstrates its sophistication.

Which Controls Failed or Were Missing

• Vulnerability management: Organizations running vulnerable Next.js versions failed to patch a critical vulnerability. This indicates a lack of visibility into application dependencies or ineffective patch prioritization.
• Asset inventory: Without knowing you're running Next.js applications, you can't patch them. The 766 compromised hosts suggest many organizations lacked complete application inventories.
• Network segmentation and access controls: The impact of stolen credentials depended on their access. If credentials provided access to critical systems, segmentation failed.
• Monitoring and detection: NEXUS Listener communicated with command infrastructure to exfiltrate credentials. Organizations without network egress monitoring missed the compromise.
• Least privilege implementation: The value of stolen credentials is tied to their access scope. Broad permissions amplify damage from credential theft.

What the Relevant Standards Require

• PCI DSS v4.0.1 Requirement 6.3.1 mandates addressing security vulnerabilities based on risk ranking. A CVSS 10.0 vulnerability requires immediate action.
• PCI DSS v4.0.1 Requirement 6.3.2 requires maintaining an inventory of system components, including web application frameworks and their versions.
• ISO/IEC 27001:2022 Control 8.8 requires timely information on vulnerabilities and appropriate measures. The automated nature of this attack means the window between disclosure and exploitation was narrow.
• NIST CSF function "Identify" includes asset and vulnerability management. Both failed here.
• SOC 2 Type II Common Criteria CC7.1 requires monitoring system components and anomalies. Credential exfiltration should trigger alerts.
• OWASP Top 10 2021: A06:2021 – Vulnerable and Outdated Components addresses running unpatched frameworks with known vulnerabilities.

The standards emphasize knowing your systems, quickly patching vulnerabilities, limiting credential scope, and detecting anomalies. This attack succeeded due to multiple control failures.

Lessons and Action Items for Your Team

• Implement dependency scanning in your CI/CD pipeline. Use tools like Snyk or OWASP Dependency-Check to flag vulnerable framework versions before deployment. If running Next.js applications, scan them immediately.
• Establish a critical patch SLA. Define what "critical" means (typically CVSS 9.0+) and set a patch window—72 hours is reasonable, 24 hours for sensitive applications.
• Build a complete application inventory. Use tools or manual audits to document every web application framework in use, including version numbers. Update this inventory with every deployment.
• Scope your service account credentials. Review and apply least privilege to service account credentials. Limit what a compromised credential can access.
• Monitor for credential abuse. Deploy authentication logging and alert on unusual patterns. Your SIEM should correlate authentication events with known-good patterns.
• Test your detection capabilities. Simulate credential theft and assess your monitoring's effectiveness.
• Subscribe to framework security advisories. Stay updated on security announcements for frameworks like Next.js, React, and others.

The 766 compromised hosts highlight a failure in basic vulnerability management. Attackers used publicly available tools and a known vulnerability, not a sophisticated zero-day. Your team can prevent this by treating critical vulnerabilities as emergencies.

CVE Details