Anatomy of a Cascading Breach: How an Unpatched CVE in A Tier-2 Bank Compromised National Payment Infrastructure

In March 2026, a threat actor designated "Byte To Breach" exploited CVE-2025-55182 (CVSS 10.0)—a pre-authentication remote code execution vulnerability in React Server Components—on an unpatched, internet-facing pilot server belonging to Sterling Bank Plc, a Tier-2 Nigerian commercial bank. The initial compromise triggered a cascading breach that ultimately exposed 3 terabytes of data from Remita, Nigeria's primary government payment platform, including 657,242 KYC documents and Hardware Security Module (HSM) key files for 46 financial institutions. This paper presents a technical autopsy of the cascading breach, analyzing: (i) how a single CVE enabled lateral movement across interconnected financial infrastructure; (ii) the four-stage exploit chain of React2Shell and its evasion of existing defenses; and (iii) why "trust corridors" between financial institutions amplify rather than contain breaches. Drawing on open-source intelligence analysis of actor-published artefacts, network telescope measurements of React2Shell exploitation, and the threat actor's own Q&A with researchers, we reconstruct the complete attack chain using the MITRE ATT&CK framework. Our analysis demonstrates that the breach was not a sophisticated targeted operation but an opportunistic exploitation of elementary security failures: an unpatched vulnerability, hardcoded credentials in source code, and implicit trust relationships between connected institutions. We conclude with technical recommendations for zero-trust inter-bank architectures, secrets management, and detection rules for CVE-2025-55182 exploitation patterns.

Cascading breach; CVE-2025-55182; React2Shell; inter-bank security

1. Odes D. ByteToBreach exclusive Q&A: Why Sterling Bank, Remita, and CAC were targeted. Security Intelligence. 2026 Apr 16. Available from: https://bizwatchnigeria.ng/explainer-bytetobreach-hacker-sheds-llight-on-why-cac-sterling-bank-and-remita-were-targeted/ [Google Scholar] [Crossref]

2. Odes D. Sterling Bank & Remita: How a global hacker walked through Nigeria's banking sector and took everything. Security Intelligence. 2026 Apr 8. Available from: https://securityintelligence.substack.com/p/sterling-bank-and-remita-how-a-global-f9c [Google Scholar] [Crossref]

3. Singh A, Yadav KS, Patel R, Sharma N. Internet-scale measurement of React2Shell exploitation using an active network telescope. arXiv:2603.12300. 2026 Mar 12. [Google Scholar] [Crossref]

4. Gkoulalas-Divanis A, Loukides G, Sun J. Publishing data from electronic health records while preserving privacy: A survey of algorithms. J Biomed Inform. 2014;50:4-19. [Google Scholar] [Crossref]

5. Crosby S, Goldberg S. The SolarWinds compromise: A supply chain attack on the US government. Harv Natl Secur J. 2022;13:1-56. [Google Scholar] [Crossref]

6. Chen Y, Huang C. SWIFT network security: Lessons from the Bangladesh Bank heist. J Financ Crime. 2020;27(3):789-804. [Google Scholar] [Crossref]

7. CyberArk. Deconstructing supply chain attacks and infiltrating a biohacker's mind. Black Hat. 2021. Available from: https://blackhat.com/sponsor-posts/07022021-deconstructing-supply-chain-attacks-and-infiltrating-a-biohackers-mind.html [Google Scholar] [Crossref]

8. Technext. Sterling Bank, Remita and CAC data breaches: Why did the Nigerian institutions say nothing? CoinMarketCap. 2026 Apr 16. [Google Scholar] [Crossref]

9. Girnus P, Patel D, Walsh J, Silva L, Verma A. CVE-2025-55182: React2Shell analysis, proof-of-concept chaos, and in-the-wild exploitation. Trend Micro Research. 2025 Dec 10. [Google Scholar] [Crossref]

10. National Vulnerability Database. CVE-2025-55182 Detail. NIST. 2025. [Google Scholar] [Crossref]

11. Aliyun Developer Community. React2Shell vulnerability automated credential theft attack mechanism and defense research. 2026 Apr 8. [Google Scholar] [Crossref]

12. Casey E. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. 3rd ed. Academic Press; 2011. [Google Scholar] [Crossref]

13. Lallie HS, Shepherd LA, Nurse JRC, et al. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput Secur. 2021;105:102248. [Google Scholar] [Crossref]

14. Nigeria Data Protection Commission. Press Release on Investigation of Alleged Data Breach Involving Remita Payment Services Ltd., Sterling Bank and Other Entities. Abuja: NDPC; 2026 Apr 5. [Google Scholar] [Crossref]

15. MITRE. MITRE ATT&CK Framework, version 16. 2025. [Google Scholar] [Crossref]

16. Strom BE, Applebaum A, Miller DP, et al. MITRE ATT&CK: Design and philosophy. MITRE Corporation; 2018. [Google Scholar] [Crossref]

17. Sina Finance. From airport paralysis to financial penetration: Why supply chain attacks repeatedly succeed. 2025 Sep 23. [Google Scholar] [Crossref]

18. National Institute of Standards and Technology. Security and privacy controls for information systems and organizations. NIST SP 800-53, Rev. 5. NIST; 2018. [Google Scholar] [Crossref]

19. Okon EI, Uzoka FME. KYC data protection in Nigerian financial inclusion: Centralization risks and the attractive target asymmetry problem. J Bank Financ Technol. 2025;9(1):45-62. [Google Scholar] [Crossref]

20. Suleiman AT, Adekunle SO, Bello OR. Security posture and breach detection in Nigerian deposit money banks: An empirical survey of EDR deployment and SOC capabilities. Niger J Comput Sci. 2024;12(2):87-104. [Google Scholar] [Crossref]

21. Nigeria Data Protection Act, 2023. Federal Republic of Nigeria Official Gazette; 2023. [Google Scholar] [Crossref]

• The Impact of Ownership Structure on Dividend Payout Policy of Listed Plantation Companies in Sri Lanka
• Urban Sustainability in North-East India: A Study through the lens of NER-SDG index
• Performance Assessment of Predictive Forecasting Techniques for Enhancing Hospital Supply Chain Efficiency in Healthcare Logistics
• The Fractured Self in Julian Barnes' Postmodern Fiction: Identity Crisis and Deflation in Metroland and the Sense of an Ending
• Impact of Flood on the Employment, Labour Productivity and Migration of Agricultural Labour in North Bihar