Next.js: 59k servers compromised in 48h - I breached the attackers' C2 and here's what I found
A large-scale credential theft campaign named "Operation PCPcat" has compromised approximately 59,000 Next. js servers within 48 hours by exploiting two remote code execution vulnerabilities (CVE-2025-29927 and CVE-2025-66478). Attackers extracted sensitive files such as . env, SSH keys, and cloud credentials, installed persistent backdoors, and operated a command and control (C2) infrastructure that was publicly exposed, revealing real-time campaign metrics. Organizations running Next. js in production should immediately patch vulnerable systems and rotate all potentially compromised credentials. The attack chain includes exploitation, data exfiltration, and backdoor installation, with detailed IoCs and detection rules available. This campaign poses a medium severity threat but with potentially widespread impact due to the scale and sensitive data targeted. European organizations using Next. js, especially in countries with high adoption of modern web frameworks, are at risk.
AI Analysis
Technical Summary
The threat dubbed "Operation PCPcat" targets Next.js deployments by exploiting two remote code execution (RCE) vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. These vulnerabilities allow attackers to execute arbitrary code on vulnerable servers, enabling them to extract sensitive configuration files such as .env files, which often contain environment variables including database credentials, API keys, and secrets. Additionally, attackers harvest SSH keys and credentials for cloud services like AWS, Docker, and Git repositories, facilitating lateral movement and persistence. Following initial exploitation, attackers install persistent backdoors to maintain long-term access. The attackers' command and control (C2) infrastructure was found to be publicly accessible, including a `/stats` endpoint that displayed real-time metrics of the campaign, indicating operational security failures on the attackers' side. The campaign was discovered through honeypot monitoring by Beelzebub research, which captured the attack traffic and enabled detailed kill chain analysis, including indicators of compromise (IoCs) and detection rules for Suricata and YARA. Although no CVSS score is assigned, the campaign's scale—59,000 servers compromised in 48 hours—demonstrates rapid exploitation and widespread impact. The threat actor also maintains Telegram channels for coordination or information dissemination. The lack of patch links suggests that organizations must urgently seek vendor updates or mitigations for these CVEs. The campaign highlights the critical need for securing Next.js deployments, rotating credentials post-compromise, and employing network detection capabilities to identify malicious activity.
Potential Impact
For European organizations, the impact of this campaign is significant due to the widespread use of Next.js in modern web applications across various sectors including finance, e-commerce, and public services. The theft of environment variables, SSH keys, and cloud credentials can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. Persistent backdoors increase the risk of prolonged undetected compromise, enabling attackers to exfiltrate sensitive data or disrupt services. The exposure of cloud credentials could lead to abuse of cloud resources, financial losses, and further lateral attacks within corporate networks. Given the scale of the compromise, organizations may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The publicly exposed C2 infrastructure also suggests attackers may be less cautious, potentially increasing the chance for defenders to detect and respond. However, the rapid exploitation window means many organizations may already be compromised if patches and mitigations were not applied promptly. European entities relying on Next.js for customer-facing or internal applications must assume potential compromise and conduct thorough incident response.
Mitigation Recommendations
1. Immediately identify and patch all Next.js deployments vulnerable to CVE-2025-29927 and CVE-2025-66478 by applying vendor-provided updates or recommended security fixes. 2. Rotate all credentials potentially exposed during the attack window, including database passwords, API keys, SSH keys, and cloud service credentials (AWS, Docker, Git). 3. Conduct comprehensive forensic analysis on affected systems to identify indicators of compromise, backdoors, and lateral movement. 4. Deploy and tune detection rules based on provided Suricata and YARA signatures to monitor network and host activity for signs of exploitation or C2 communication. 5. Restrict access to sensitive files such as .env and SSH keys by enforcing least privilege and secure storage practices. 6. Harden Next.js server configurations, disable unnecessary services, and implement application-layer firewalls to reduce attack surface. 7. Monitor network traffic for unusual outbound connections, especially to known C2 infrastructure or Telegram channels linked to the threat actor. 8. Educate development and operations teams on secure coding and deployment practices for Next.js applications. 9. Establish incident response plans specific to web application compromises involving credential theft and backdoors. 10. Engage with cybersecurity threat intelligence providers to stay updated on evolving tactics related to this campaign.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
Next.js: 59k servers compromised in 48h - I breached the attackers' C2 and here's what I found
Description
A large-scale credential theft campaign named "Operation PCPcat" has compromised approximately 59,000 Next. js servers within 48 hours by exploiting two remote code execution vulnerabilities (CVE-2025-29927 and CVE-2025-66478). Attackers extracted sensitive files such as . env, SSH keys, and cloud credentials, installed persistent backdoors, and operated a command and control (C2) infrastructure that was publicly exposed, revealing real-time campaign metrics. Organizations running Next. js in production should immediately patch vulnerable systems and rotate all potentially compromised credentials. The attack chain includes exploitation, data exfiltration, and backdoor installation, with detailed IoCs and detection rules available. This campaign poses a medium severity threat but with potentially widespread impact due to the scale and sensitive data targeted. European organizations using Next. js, especially in countries with high adoption of modern web frameworks, are at risk.
AI-Powered Analysis
Technical Analysis
The threat dubbed "Operation PCPcat" targets Next.js deployments by exploiting two remote code execution (RCE) vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. These vulnerabilities allow attackers to execute arbitrary code on vulnerable servers, enabling them to extract sensitive configuration files such as .env files, which often contain environment variables including database credentials, API keys, and secrets. Additionally, attackers harvest SSH keys and credentials for cloud services like AWS, Docker, and Git repositories, facilitating lateral movement and persistence. Following initial exploitation, attackers install persistent backdoors to maintain long-term access. The attackers' command and control (C2) infrastructure was found to be publicly accessible, including a `/stats` endpoint that displayed real-time metrics of the campaign, indicating operational security failures on the attackers' side. The campaign was discovered through honeypot monitoring by Beelzebub research, which captured the attack traffic and enabled detailed kill chain analysis, including indicators of compromise (IoCs) and detection rules for Suricata and YARA. Although no CVSS score is assigned, the campaign's scale—59,000 servers compromised in 48 hours—demonstrates rapid exploitation and widespread impact. The threat actor also maintains Telegram channels for coordination or information dissemination. The lack of patch links suggests that organizations must urgently seek vendor updates or mitigations for these CVEs. The campaign highlights the critical need for securing Next.js deployments, rotating credentials post-compromise, and employing network detection capabilities to identify malicious activity.
Potential Impact
For European organizations, the impact of this campaign is significant due to the widespread use of Next.js in modern web applications across various sectors including finance, e-commerce, and public services. The theft of environment variables, SSH keys, and cloud credentials can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. Persistent backdoors increase the risk of prolonged undetected compromise, enabling attackers to exfiltrate sensitive data or disrupt services. The exposure of cloud credentials could lead to abuse of cloud resources, financial losses, and further lateral attacks within corporate networks. Given the scale of the compromise, organizations may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The publicly exposed C2 infrastructure also suggests attackers may be less cautious, potentially increasing the chance for defenders to detect and respond. However, the rapid exploitation window means many organizations may already be compromised if patches and mitigations were not applied promptly. European entities relying on Next.js for customer-facing or internal applications must assume potential compromise and conduct thorough incident response.
Mitigation Recommendations
1. Immediately identify and patch all Next.js deployments vulnerable to CVE-2025-29927 and CVE-2025-66478 by applying vendor-provided updates or recommended security fixes. 2. Rotate all credentials potentially exposed during the attack window, including database passwords, API keys, SSH keys, and cloud service credentials (AWS, Docker, Git). 3. Conduct comprehensive forensic analysis on affected systems to identify indicators of compromise, backdoors, and lateral movement. 4. Deploy and tune detection rules based on provided Suricata and YARA signatures to monitor network and host activity for signs of exploitation or C2 communication. 5. Restrict access to sensitive files such as .env and SSH keys by enforcing least privilege and secure storage practices. 6. Harden Next.js server configurations, disable unnecessary services, and implement application-layer firewalls to reduce attack surface. 7. Monitor network traffic for unusual outbound connections, especially to known C2 infrastructure or Telegram channels linked to the threat actor. 8. Educate development and operations teams on secure coding and deployment practices for Next.js applications. 9. Establish incident response plans specific to web application compromises involving credential theft and backdoors. 10. Engage with cybersecurity threat intelligence providers to stay updated on evolving tactics related to this campaign.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 5
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- beelzebub.ai
- Newsworthiness Assessment
- {"score":47.5,"reasons":["external_link","newsworthy_keywords:exploit,cve-,rce","non_newsworthy_keywords:question,rules","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit","cve-","rce","backdoor","threat actor","campaign","compromised","exposed","breach","patch","ioc","yara","analysis"],"foundNonNewsworthy":["question","rules"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 693ffbd1d9bcdf3f3dd7fb5d
Added to database: 12/15/2025, 12:15:13 PM
Last enriched: 12/15/2025, 12:15:30 PM
Last updated: 12/15/2025, 2:56:40 PM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14003: CWE-862 Missing Authorization in wpchill Image Gallery – Photo Grid & Video Gallery
MediumCVE-2025-13950: CWE-862 Missing Authorization in onesignal OneSignal – Web Push Notifications
MediumCVE-2025-13728: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in techjewel FluentAuth – The Ultimate Authorization & Security Plugin for WordPress
MediumCVE-2025-13610: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
MediumCVE-2025-13608: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in caterhamcomputing CC Child Pages
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.