CVE-2025-29927
published 2025-03-21CVE-2025-29927: Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it…
PriorityP193critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.62%
99.9th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astrojs | vercel | >= 0 < 10.0.2 | 10.0.2 |
| next | next | >= 12.0.0 < 12.3.5 | 12.3.5 |
| next | next | >= 12.3.5 < 12.3.6 | 12.3.6 |
| next | next | >= 13.0.0 < 13.5.9 | 13.5.9 |
| next | next | >= 13.5.9 < 13.5.10 | 13.5.10 |
| next | next | >= 14.0.0 < 14.2.25 | 14.2.25 |
| next | next | >= 14.2.25 < 14.2.26 | 14.2.26 |
| next | next | >= 15.0.0 < 15.2.3 | 15.2.3 |
| next | next | >= 15.2.3 < 15.2.4 | 15.2.4 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 11.1.4 < 12.3.5 | 12.3.5 |
| vercel | next.js | >= 13.0.0 < 13.5.9 | 13.5.9 |
| vercel | next.js | >= 14.0.0 < 14.2.25 | 14.2.25 |
| vercel | next.js | >= 15.0.0 < 15.2.3 | 15.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Block or alert on any inbound HTTP request containing the 'x-middleware-subrequest' header before it reaches a Next.js application — this header is the sole mechanism for the CVE-2025-29927 auth bypass. ↗
- →Hunt for the PCPJack persistence artefact 'sys-monitor.service' (systemd) and the working directory '/var/lib/.spm/' on Linux hosts as indicators of post-exploitation activity following CVE-2025-29927 exploitation. ↗
- →Detect credential exfiltration to Telegram: look for outbound traffic where data is split into 2800-byte chunks and prefixed with a 🔒 emoji, encrypted with X25519 + ChaCha20-Poly1305. ↗
- →Alert on processes or files named 'monitor.py', '_lat.py', '_cu.py', '_cr.py', '_csc.py', 'utils.py' appearing under '/var/lib/.spm/' — these are the on-disk names of the PCPJack Python worm modules. ↗
- →Detect Sliver beacon binaries dropped as 'update.bin', 'update-386.bin', or 'update-arm.bin' (also staged at '/var/tmp/apt-daily-upgrade') on compromised hosts as second-stage payloads. ↗
- →Monitor for outbound connections to 'cdn[.]cloudfront-js[.]com' on port 8443 — this is the C2 staging URL used by the second PCPJack toolset (check.sh / Sliver beacons). ↗
- →Flag any process that reads '/proc/*/environ' in bulk — the check.sh toolset uses this to harvest credentials from running process environments. ↗
- →A Metasploit auxiliary module (scanner/http/nextjs_middleware_auth_bypass) is publicly available for CVE-2025-29927; monitor WAF/IDS logs for its characteristic probe patterns against Next.js middleware routes. ↗
- ·The CVE-2025-29927 auth bypass only affects self-hosted Next.js deployments where authorization logic is implemented in middleware; Vercel-hosted applications are not affected according to the advisory. ↗
- ·The vulnerable version range is broad (1.11.4 through 15.2.2); fixed versions are 12.3.5, 13.5.9, 14.2.25, and 15.2.3 — ensure the correct branch is patched for the deployed major version. ↗
- ·PCPJack's crypto_util.py silently falls back to sending credentials in plaintext if the 'cryptography' Python library is not installed, meaning exfiltrated data may not always be encrypted. ↗
- ·The AWS IMDS lateral movement step in lateral.py only succeeds in environments where IMDSv2 is NOT strictly enforced; enforcing IMDSv2 blocks this credential harvesting path. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
ghsa·2026-03-26
CVE-2026-33768 [MEDIUM] CWE-441 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
## Summary
The `@astrojs/vercel` serverless entrypoint reads the `x-astro-path` header and `x_astro_path` query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely.
The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking `/admin/*` does nothing when the request comes in as `POST /api/health?x_astro_path=/admin/delete-user`.
## Affected Versions
Verified against:
- **Astro 5.18.1 + @astrojs/vercel 9.0.4** — GET and POST override both work. Full exploitation.
- **Ast
OSV
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
osv·2026-03-26
CVE-2026-33768 [MEDIUM] Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
## Summary
The `@astrojs/vercel` serverless entrypoint reads the `x-astro-path` header and `x_astro_path` query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely.
The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking `/admin/*` does nothing when the request comes in as `POST /api/health?x_astro_path=/admin/delete-user`.
## Affected Versions
Verified against:
- **Astro 5.18.1 + @astrojs/vercel 9.0.4** — GET and POST override both work. Full exploitation.
- **Ast
OSV
Next.js may leak x-middleware-subrequest-id to external hosts
osv·2025-04-02·CVSS 9.1
CVE-2025-30218 [CRITICAL] Next.js may leak x-middleware-subrequest-id to external hosts
Next.js may leak x-middleware-subrequest-id to external hosts
## Summary
In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.
Learn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O).
## Credit
Thank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and [RyotaK](https://hackerone.com/ryotak?type=user) (GMO Flatt Security Inc.) with [takumi-san.ai](https://takumi-san.ai) for the responsible disclosure. These researchers were awarded as part of our bug bounty program.
GHSA
Next.js may leak x-middleware-subrequest-id to external hosts
ghsa·2025-04-02·CVSS 9.1
CVE-2025-30218 [CRITICAL] CWE-200 Next.js may leak x-middleware-subrequest-id to external hosts
Next.js may leak x-middleware-subrequest-id to external hosts
## Summary
In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.
Learn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O).
## Credit
Thank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and [RyotaK](https://hackerone.com/ryotak?type=user) (GMO Flatt Security Inc.) with [takumi-san.ai](https://takumi-san.ai) for the responsible disclosure. These researchers were awarded as part of our bug bounty program.
OSV
Authorization Bypass in Next.js Middleware
osv·2025-03-21
CVE-2025-29927 [CRITICAL] Authorization Bypass in Next.js Middleware
Authorization Bypass in Next.js Middleware
# Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
# Patches
* For Next.js 15.x, this issue is fixed in `15.2.3`
* For Next.js 14.x, this issue is fixed in `14.2.25`
* For Next.js 13.x, this issue is fixed in 13.5.9
* For Next.js 12.x, this issue is fixed in 12.3.5
* For Next.js 11.x, consult the below workaround.
_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._
# Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.
## Credits
- Allam Rachid (zhero;)
- Allam Yasser
GHSA
Authorization Bypass in Next.js Middleware
ghsa·2025-03-21
CVE-2025-29927 [CRITICAL] CWE-285 Authorization Bypass in Next.js Middleware
Authorization Bypass in Next.js Middleware
# Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
# Patches
* For Next.js 15.x, this issue is fixed in `15.2.3`
* For Next.js 14.x, this issue is fixed in `14.2.25`
* For Next.js 13.x, this issue is fixed in 13.5.9
* For Next.js 12.x, this issue is fixed in 12.3.5
* For Next.js 11.x, consult the below workaround.
_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._
# Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.
## Credits
- Allam Rachid (zhero;)
- Allam Yasser
VulnCheck
vercel next.js Improper Authorization
vulncheck·2025·CVSS 9.1
CVE-2025-29927 [CRITICAL] vercel next.js Improper Authorization
vercel next.js Improper Authorization
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Affected: vercel next.js
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://secu
Red Hat
next.js: Next.js may leak x-middleware-subrequest-id to external hosts
vendor_redhat·2025-04-02·CVSS 9.1
CVE-2025-30218 [CRITICAL] CWE-200 next.js: Next.js may leak x-middleware-subrequest-id to external hosts
next.js: Next.js may leak x-middleware-subrequest-id to external hosts
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.
A flaw was found in the Next.js package. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id, which persisted across multiple incoming requests. However, this subrequest ID is sent to
Red Hat
nextjs: Authorization Bypass in Next.js Middleware
vendor_redhat·2025-03-21·CVSS 9.1
CVE-2025-29927 [CRITICAL] CWE-285 nextjs: Authorization Bypass in Next.js Middleware
nextjs: Authorization Bypass in Next.js Middleware
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
A flaw was found in Next.js package. This vulnerability allows bypassing authorization checks within a Next.js application if the authorization check occurs in middleware.
Statement: This vulnerability is r
Suricata
ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2025-29927)
suricata·2025-03-24·CVSS 9.1
CVE-2025-29927 [CRITICAL] ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2025-29927)
ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2025-29927)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2025-29927)"; flow:established,to_server; http.header; to_lowercase; content:"x-middleware-subrequest|3a 20|"; reference:url,projectdiscovery.io/blog/nextjs-middleware-authorization-bypass; reference:cve,2025-29927; classtype:web-application-attack; sid:2061026; rev:1; metadata:attack_target Server, created_at 2025_03_24, cve CVE_2025_29927, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; targe
Exploit-DB
Next.js Middleware 15.2.2 - Authorization Bypass
exploitdb·2025-04-05·CVSS 9.1
CVE-2025-29927 [CRITICAL] Next.js Middleware 15.2.2 - Authorization Bypass
Next.js Middleware 15.2.2 - Authorization Bypass
---
# Exploit Title: Next.js Middleware Bypass Vulnerability (CVE-2025-29927)
# Date: 2025-03-26
# Exploit Author: kOaDT
# Vendor Homepage: https://nextjs.org/
# Software Link: https://github.com/vercel/next.js
# Version: 13.0.0 - 13.5.8 / 14.0.0 - 14.2.24 / 15.0.0 - 15.2.2 / 11.1.4 - 12.3.4
# Tested on: Ubuntu 22.04.5 LTS
# CVE: CVE-2025-29927
# PoC: https://raw.githubusercontent.com/kOaDT/poc-cve-2025-29927/refs/heads/main/exploit.js
# POC GitHub Repository: https://github.com/kOaDT/poc-cve-2025-29927/tree/main
Nuclei
CrushFTP - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-31161 [CRITICAL] CrushFTP - Authentication Bypass
CrushFTP - Authentication Bypass
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
Template:
id: CVE-2025-31161
info:
name: CrushFTP - Authentication Bypass
author: parthmalhotra,Ice3man,DhiyaneshDk,pdresearch,whattheslime
severity: critical
description: |
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.
impact: |
Unauthenticated attackers can bypass authentication by forging session cookies, gaining unaut
Nuclei
Next.js Middleware Authorization Bypass
nuclei·CVSS 9.1
CVE-2025-29927 [CRITICAL] Next.js Middleware Authorization Bypass
Next.js Middleware Authorization Bypass
A critical vulnerability in Next.js middleware allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header. This flaw affects Next.js versions prior to 14.2.25 and 15.2.3, potentially granting unauthorized access to sensitive resources.
Template:
id: CVE-2025-29927-HEADLESS
info:
name: Next.js Middleware Authorization Bypass
author: ademking
severity: critical
description: |
A critical vulnerability in Next.js middleware allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header. This flaw affects Next.js versions prior to 14.2.25 and 15.2.3, potentially granting unauthorized access to sensitive resources.
impact: |
Unauthenticated attackers can bypass middleware autho
Metasploit
Next.js Middleware Authorization Bypass Scanner
metasploit·CVSS 9.1
CVE-2025-29927 [CRITICAL] Next.js Middleware Authorization Bypass Scanner
Next.js Middleware Authorization Bypass Scanner
This module detects self-hosted Next.js applications affected by CVE-2025-29927, an authorization bypass in the middleware layer. Next.js tags its own internal subrequests with the x-middleware-subrequest header and skips middleware when it sees it. The header is trusted without verifying it originated internally, so an external client that supplies it causes middleware to be skipped entirely, bypassing any authentication, authorization, or redirects implemented there. Affected self-hosted versions are < 12.3.5, < 13.5.9, < 14.2.25, and < 15.2.3. The module performs a differential check: it sends a baseline request to a user-supplied, normally middleware-gated path (expecting a redirect or a 401/403), then repeats the request with a crafted
Nuclei
Next.js Middleware Bypass
nuclei·CVSS 9.1
CVE-2025-29927 [CRITICAL] Next.js Middleware Bypass
Next.js Middleware Bypass
Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2.
The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circumvention.
Template:
id: CVE-2025-29927
info:
name: Next.js Middleware Bypass
author: pdresearch,pdteam,hazedic
severity: critical
description: |
Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2.
The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circum
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
CTF
2025_AppSec-IL / NextGen
ctf_writeups·2025
2025_AppSec-IL / NextGen
# NextGen
* Category: API
* Solved by the JCTF Team
## Description
> Hey everyone! 👋
>
> I've been working hard on our brand new Next Gen Portal - a sleek, modern enterprise dashboard that's going to revolutionize how our teams collaborate and manage their workflows. The design is clean, the interface is intuitive, and I think you're all going to love it!
>
> Quick heads up: There's an "Admin Panel" button in there, but don't bother clicking it unless you're actually an admin - the system has proper security controls in place, so regular users won't be able to access it anyway.
A website was attached.
## Solution
During the competition, we solved this with an unintended solution, you can see the details below.
### Intended Solution
We are prompted to register to a website:
```cons
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
NeuroSync-D / README
ctf_writeups
NeuroSync-D / README
# NeuroSync-D
> Write-up author: jon-brandy
## Lessons Learned:
1. asda
## SCENARIO:
\NeuroSync™ is a leading suite of products focusing on developing cutting edge medical BCI devices, designed by the Korosaki Coorporaton. Recently, an APT group targeted them and was able to infiltrate their infrastructure and is now moving laterally to compromise more systems. It appears that they have even managed to hijack a large number of online devices by exploiting an N-day vulnerability. Your task is to find out how they were able to compromise the infrastructure and understand how to secure it.
## STEPS:
1. SAFDAS
> 1ST QUESTION -> ANS:
> 2ND QUESTION -> ANS:
> 3RD QUESTION -> ANS:
> 4TH QUESTION -> ANS:
> 5TH QUESTION -> ANS:
> 6TH QUESTION -> ANS:
> 7TH QUESTION -> ANS:
> 8TH
Rapid7
Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more
blogs_rapid7·2026-06-26·CVSS 8.2
CVE-2025-25205 [HIGH] Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more
## Help shape the future of Metasploit Framework
We are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here , and you can submit your responses to the form here . The form will stop accepting responses on the 1st of July, 2026.
New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfo
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
blogs_sans_isc·2026-05-18
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17
Published: 2026-05-18. Last Updated: 2026-05-18 20:08:00 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
Bottom line up front
Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minut
Bleepingcomputer
New PCPJack worm steals credentials, cleans TeamPCP infections
blogs_bleepingcomputer·2026-05-07·CVSS 9.1
CVE-2025-29927 [CRITICAL] New PCPJack worm steals credentials, cleans TeamPCP infections
## New PCPJack worm steals credentials, cleans TeamPCP infections
## Bill Toulas
PCPJack’s capabilities revolve mainly around credential theft, targeting cloud environments, developer systems, messenger apps, financial services, databases, SSH keys, Slack tokens, WordPress configs, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and more.
The credentials are exfiltrated to Telegram channels after they are encrypted using X25519 ECDH and ChaCha20-Poly1305, and split into 2800-byte chunks respecting Telegram’s message character limits.
PCPJack propagates by scanning external cloud infrastructure for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, then attempts exploiting known vulnerabilities to gain access.
It also downloads hostname data from Common Crawl p
Sentinelone
PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
blogs_sentinelone·2026-05-07
CVE-2025-29927 PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## Executive Summary
SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP, a threat actor persona who claimed several high-profile supply chain intrusions throughout early 2026.
The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.
PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, enabling both external propagation and lateral movement inside victim environments.
Unlike typical
Hackernews
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
blogs_hackernews·2026-05-07
CVE-2025-55182 PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments.
"The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report published today.
PCPJack is specifically designed to
Wiz
The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way | Wiz Blog
blogs_wiz·2025-10-17·CVSS 9.1
[CRITICAL] The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way | Wiz Blog
Modern development practices mean everything is defined in code: containers, infrastructure, APIs, and CI workflows. But security hasn’t kept up. Siloed scanners like SCA, IaC tools, CSPM, DAST, and pen-tests generate alerts, not clarity, fueling a constant disconnect between security and engineering.
Teams have tried to bridge the gap with tagging, CMDBs, and post-deploy tooling borrowed from observability. But these systems weren’t built for security. They require manual setup, brittle pipelines, and constant upkeep. In short, they don’t scale. And they don’t answer the one question that matters most in a security incident: Where did this risk come from?
# The Wiz Security Graph is now source-aware
The answer is a new standard for visibility and traceability across the entire software
Wiz
The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way | Wiz Blog
blogs_wiz·2025-10-17·CVSS 9.1
[CRITICAL] The Foundation Modern AppSec Is Still Missing: Code to Cloud, Rebuilt the Right Way | Wiz Blog
Modern development practices mean everything is defined in code: containers, infrastructure, APIs, and CI workflows. But security hasn’t kept up. Siloed scanners like SCA, IaC tools, CSPM, DAST, and pen-tests generate alerts, not clarity, fueling a constant disconnect between security and engineering.
Teams have tried to bridge the gap with tagging, CMDBs, and post-deploy tooling borrowed from observability. But these systems weren’t built for security. They require manual setup, brittle pipelines, and constant upkeep. In short, they don’t scale. And they don’t answer the one question that matters most in a security incident: Where did this risk come from?
## The Wiz Security Graph is now source-aware
The answer is a new standard for visibility and traceability across the entire softwar
Zscaler
CVE-2025-3248: RCE vulnerability in Langflow | ThreatLabz
blogs_zscaler·2025-04-22·CVSS 9.8
[CRITICAL] CVE-2025-3248: RCE vulnerability in Langflow | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Wiz
Crying Out Cloud Newsletter - April 2025 | Wiz
blogs_wiz·2025-04-01·CVSS 9.8
CVE-2025-24813 [CRITICAL] Crying Out Cloud Newsletter - April 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype - RCE Vulnerability in Apache Tomcat Exploited in-the-Wild
CVE-2025-24813 is a remote code execution (RCE) vulnerability affecting Apache Tomcat. Under specific conditions, an attacker can upload a malicious session file via a partial PUT request and trigger its execution, potentially leading to full server compromise. The exploit requires several preconditions to be met, including specific server configurations and the presence of a deserialization-vulnerable library. While active exploitation has reportedly been observed in the wild, we estimate that in practice,
Zscaler
CVE-2025-29927: Next.js Middleware Flaw | ThreatLabz
blogs_zscaler·2025-03-27·CVSS 9.1
[CRITICAL] CVE-2025-29927: Next.js Middleware Flaw | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CXO Monthly Roundup, March 2025: AI Security Report, CoffeeLoader analysis, and more | CXO Revolutionaries
blogs_zscaler
CXO Monthly Roundup, March 2025: AI Security Report, CoffeeLoader analysis, and more | CXO Revolutionaries
## CXO Monthly Roundup, March 2025: AI Security Report, CoffeeLoader analysis, and more
Deepen Desai
Contributor
Zscaler
## Apr 1, 2025
The March edition of the CXO Monthly Roundup from Zscaler ThreatLabz.
Welcome to the new CXO Monthly Roundup, an expansion from "CISO" due to the interest in this ongoing series from all technical C-level readers. We feature the latest threat research from the Zscaler ThreatLabz team and other cybersecurity insights.
In this edition, we unpack the highlights from our recent 2025 AI Security Report, which contains relevant insights for the entire enterprise. Plus, read our technical analysis of the CoffeeLoader malware, learn about recently discovered vulnerabilities, and explore emerging threats.
## Zscaler ThreatLabz 2025 AI Security Report: Balan
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48https://github.com/vercel/next.js/releases/tag/v12.3.5https://github.com/vercel/next.js/releases/tag/v13.5.9https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffwhttp://www.openwall.com/lists/oss-security/2025/03/23/3http://www.openwall.com/lists/oss-security/2025/03/23/4https://security.netapp.com/advisory/ntap-20250328-0002/
2025-03-21
Published
Exploited in the wild