Anatomy of a Cascading Breach: How an Unpatched CVE in A Tier-2 Bank Compromised National Payment Infrastructure

Abstract

In March 2026, a threat actor designated "Byte To Breach" exploited CVE-2025-55182 (CVSS 10.0)—a pre-authentication remote code execution vulnerability in React Server Components—on an unpatched, internet-facing pilot server belonging to Sterling Bank Plc, a Tier-2 Nigerian commercial bank. The initial compromise triggered a cascading breach that ultimately exposed 3 terabytes of data from Remita, Nigeria's primary government payment platform, including 657,242 KYC documents and Hardware Security Module (HSM) key files for 46 financial institutions. This paper presents a technical autopsy of the cascading breach, analyzing: (i) how a single CVE enabled lateral movement across interconnected financial infrastructure; (ii) the four-stage exploit chain of React2Shell and its evasion of existing defenses; and (iii) why "trust corridors" between financial institutions amplify rather than contain breaches. Drawing on open-source intelligence analysis of actor-published artefacts, network telescope measurements of React2Shell exploitation, and the threat actor's own Q&A with researchers, we reconstruct the complete attack chain using the MITRE ATT&CK framework. Our analysis demonstrates that the breach was not a sophisticated targeted operation but an opportunistic exploitation of elementary security failures: an unpatched vulnerability, hardcoded credentials in source code, and implicit trust relationships between connected institutions. We conclude with technical recommendations for zero-trust inter-bank architectures, secrets management, and detection rules for CVE-2025-55182 exploitation patterns.