Massive Next.js Server Compromise: 59k Servers Breached in 48 Hours via CVE-2025-29927 and CVE-2025-66478

A recent discovery by a cybersecurity researcher has uncovered a large-scale campaign targeting Next.js servers, dubbed "Operation PCPcat." The attacker exploited critical vulnerabilities CVE-2025-29927 and CVE-2025-66478 to achieve remote code execution (RCE) on approximately 59,000 Next.js servers within a mere 48 hours. The compromised servers were used to exfiltrate sensitive information, including .env files, SSH keys, AWS credentials, Docker configurations, and Git credentials. The attacker's command and control (C2) server was found to be exposed, revealing real-time metrics through a /stats endpoint. This exposure provided valuable insights into the scale and operation of the campaign, which included the installation of persistent backdoors and centralized management of tasks and data exfiltration. The technical implications of this campaign are severe. The exploitation of these vulnerabilities allows attackers to gain full control over affected servers, leading to potential data breaches and further compromise of interconnected systems. The theft of credentials and configuration files can facilitate lateral movement and escalation of privileges within an organization's infrastructure. The impact on the cybersecurity landscape is significant. Next.js is a popular framework for building web applications, and its widespread use makes it an attractive target for attackers. The rapid compromise of 59,000 servers highlights the efficiency and automation of modern attack campaigns. Furthermore, the installation of persistent backdoors underscores the importance of continuous monitoring and incident response capabilities. From an expert perspective, this campaign serves as a stark reminder of the critical importance of timely patching and vulnerability management. Organizations must ensure that their systems are up to date with the latest security patches and that they have robust monitoring and detection mechanisms in place. Additionally, the exposure of the attacker's C2 server highlights the potential for researchers to uncover and disrupt ongoing attack campaigns. In conclusion, the discovery of "Operation PCPcat" underscores the ongoing threat posed by vulnerabilities in popular web frameworks and the importance of proactive cybersecurity measures. Organizations are advised to immediately patch the affected vulnerabilities, monitor for signs of compromise, and review their credential management practices to mitigate the risk of similar attacks.