A coordinated threat group is weaponizing CVE‑2025‑55182, a remote‑code‑execution bug in the Next.js framework, to infiltrate hundreds of web applications. By sending crafted requests that trigger the vulnerable server‑side rendering pipeline, attackers gain code execution on the underlying host and establish a persistent foothold in at least 766 identified sites within weeks of the vulnerability’s disclosure.

The intrusion chain focuses on stealing high‑value secrets: database passwords, SSH private keys, and cloud‑service API credentials are routinely exfiltrated and used to pivot into downstream services, amplifying supply‑chain exposure. Defenders must prioritize immediate patching of Next.js, enforce strict credential hygiene (rotation and least‑privilege), and deploy detection rules for anomalous request patterns and unauthorized outbound data flows.