Operation PCPcat: Exploiting Next.js 0-day Vulnerabilities to Steal Credentials from 59,000 Servers

A recent cybersecurity campaign, dubbed Operation PCPcat, has been uncovered, exploiting two zero-day vulnerabilities in Next.js (CVE-2025-29927 and CVE-2025-66478). The attack was detected via a Docker honeypot by a security researcher. The threat actor group, PCP Cat, successfully compromised approximately 59,000 servers with a success rate of 64.6%. The attackers targeted sensitive information, including .env files containing environment variables, cloud credentials for AWS, GCP, and Azure, private SSH keys, Docker configurations, and bash history files. The command and control (C2) infrastructure used by PCP Cat exposed real-time metrics through a publicly accessible API endpoint at /stats. From a technical standpoint, the exploitation of Next.js vulnerabilities highlights the importance of keeping web frameworks and dependencies up to date. Next.js is a popular React framework used for server-side rendering and static site generation. Vulnerabilities in such frameworks can have widespread impact due to their extensive use in modern web applications. The exposure of C2 metrics via a public API is noteworthy and provides valuable intelligence to researchers. For cybersecurity professionals, this campaign underscores the importance of timely patching, robust secret management practices, and the value of deception technologies in threat detection. Organizations using Next.js should immediately update to the latest version to mitigate the risk of exploitation. Additionally, a thorough review of server configurations, credential management practices, and access logs is recommended to detect any potential compromise.