If you are running an unpatched Next.js App Router, the December vulnerability (CVE-2025-55182, CVSS 10.0) has officially been weaponized at scale.
A new report from Cisco's threat intelligence team, Talos, linked the threat cluster UAT-10608 to a highly automated credential harvesting campaign. At least 766 unpatched hosts were breached in just 24 hours.
Database credentials, AWS secrets, Stripe API keys, GitHub tokens are being ripped out and automatically funneled into "NEXUS Listener," a sophisticated C2 (Command and Control, server used by the attacker) equipped with its own analytics dashboard.
A patch has been available since December 2025. If you haven't applied it yet, now would be a good time.
Check your systems today.
https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/