AI-Assisted Credential Harvesting: React2Shell Server Exposed

Bissa Scanner Campaign Exploits React2Shell CVE-2025-55182 for Mass Credential Harvesting

AI-Assisted Credential Harvesting: The React2Shell Incident

AI-assisted credential harvesting is fast becoming a significant cyber threat. Recently, investigators gained rare insight into an active criminal operation using the React2Shell vulnerability to automate large-scale attacks. This incident demonstrates how cybercriminals are combining advanced vulnerabilities with artificial intelligence tools to compromise organisations at scale.

Inside the Exposed Credential Harvesting Operation

Forensic investigators discovered an exposed server on the internet that revealed the inner workings of a sophisticated credential harvesting factory. The operation, known as the “Bissa scanner,” used the React2Shell vulnerability (CVE-2025-55182) to target organisations globally. With over 13,000 files on the server, the attackers automated every step, from scanning for vulnerable systems to extracting credentials and alerting operators via Telegram.

The attackers harnessed AI workflow assistants such as Claude Code and OpenClaw. These tools helped automate coding, debugging, target scanning and even triaged compromised credentials. Logs from the exposed server showed that over 900 successful compromises had occurred, highlighting the scale and effectiveness of this AI-assisted approach.

  • Automated scanning for vulnerable internet-facing servers
  • Credential harvesting at scale with AI workflow tools
  • Victim data triage to identify high-value targets
  • Telegram notifications to operators for immediate action

The React2Shell Vulnerability: What Organisations Need to Know

The core of this campaign was the React2Shell vulnerability, officially tracked as CVE-2025-55182. This flaw affects React Server Components in React versions 19.0 through 19.2.0 and the Next.js framework. Assigned a maximum CVSS score of 10.0, React2Shell allows unauthenticated remote code execution. This means attackers can execute any code on a vulnerable server with a specially crafted HTTP POST request, bypassing authentication entirely.

The vulnerability arises from insecure deserialization in the RSC Flight protocol. Once public disclosure occurred in December 2025, threat actors—both state-sponsored and criminal—began exploiting it within hours. The US Cybersecurity and Infrastructure Security Agency (CISA) quickly added React2Shell to its Known Exploited Vulnerabilities catalogue, and security vendors reported widespread exploitation attempts.

  • Affected software: React 19.0–19.2.0 and Next.js using React Server Components
  • Attack vector: Unauthenticated HTTP POST request
  • Potential impact: Full server compromise and credential theft

Operational Sophistication: Beyond the Exploit

What sets the Bissa scanner operation apart is not just the use of a critical exploit, but the advanced automation and workflow integration built around it. The exposed server was not simply a data dump. It was a live, active platform running credential harvesting operations in real time. AI tools were deeply integrated, assisting with code refinement, scanning logic and even decision-making on which compromised credentials to prioritise.

This level of automation means attackers can operate at internet scale, targeting thousands or millions of potential victims simultaneously. The use of Telegram bots for instant alerts and centralised workflow management further streamlined the process, making the operation both efficient and difficult to disrupt.

Why AI-Assisted Credential Harvesting Matters

The exposure of this server provides a rare glimpse into how criminal groups are evolving their tactics. AI-assisted credential harvesting is not a theoretical threat: it is a reality, and it poses significant risks to organisations using modern frameworks like React and Next.js.

  • Speed: Automation enables rapid exploitation before patches can be widely applied.
  • Scale: AI workflow tools allow attackers to target thousands of systems at once.
  • Sophistication: AI assistance lowers the technical barrier for running complex campaigns.
  • Consequence: Stolen credentials can lead to further breaches, data theft and ransomware.

Large-scale credential harvesting campaigns can disrupt operations, damage reputations and expose sensitive data. The use of AI means that even less experienced attackers can run highly effective campaigns, increasing the overall threat to organisations of all sizes.

Defending Against AI-Assisted Credential Harvesting

With AI-assisted credential harvesting on the rise, organisations must take proactive steps to reduce their risk. Here are key actions to consider:

  • Patch React and Next.js: Immediately update to the latest versions that address CVE-2025-55182. Apply security patches as soon as they are released.
  • Monitor for Unusual Activity: Use security monitoring tools to detect signs of compromise, such as unexpected HTTP POST requests or abnormal server processes.
  • Limit Exposure: Avoid exposing development and test environments to the internet. Restrict access to web applications and APIs where possible.
  • Network Segmentation: Isolate critical systems from those with internet access to contain the impact of a potential breach.
  • Use Multi-Factor Authentication (MFA): Even if credentials are stolen, MFA can prevent attackers from gaining access to sensitive systems.
  • Educate Staff: Train staff to recognise signs of phishing and social engineering, which often follow credential harvesting incidents.

Incident Response: Be Prepared

Develop a robust incident response plan for credential harvesting attacks. This should include steps for isolating affected systems, resetting passwords, notifying stakeholders and engaging with cyber incident response professionals when necessary.

Conclusion: The Future of Credential Harvesting

The exposure of the Bissa scanner operation is a wake-up call for organisations relying on modern web frameworks. AI-assisted credential harvesting campaigns are effective, scalable and difficult to detect without strong security practices. By understanding how these attacks work and taking steps to patch vulnerabilities and monitor systems, organisations can significantly reduce their risk.

Stay informed about emerging threats, prioritise patch management and invest in security awareness at all levels of your organisation. AI-assisted credential harvesting is here, but with vigilance, its impact can be mitigated.

Originally reported by Inoreader: Vulnerabilities.

Share this bulletin
Back to Bulletins
Author
Ben Warne
Category
Published
Apr 22 - 2026
Post Tags
  • ai threats
  • credential harvesting
  • react2shell
  • Vulnerabilities
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call