Skip to content

RCE Confirmed via Umami Dependency (Next.js CVE-2025-66478) #3852

New issue
New issue
Open
Open
RCE Confirmed via Umami Dependency (Next.js CVE-2025-66478)#3852
@ehtishamsajjad

Description

@ehtishamsajjad
ehtishamsajjad
opened on Dec 7, 2025

Describe the Bug

I am reporting this to confirm that a critical vulnerability in Next.js (CVE-2025-66478) led to a root-level compromise on my server, where Umami was running.

I understand Umami has released a fix, but this report serves to:

  1. Validate the vector: Confirm the RCE was exploitable through Umami's use of the vulnerable Next.js version.
  2. Alert the community: Share the attacker's observed post-exploitation steps, which may help others detect a compromise.

๐Ÿ”Ž Attacker Post-Exploitation Activity

After gaining root access, the attacker deployed the following stealthy persistence mechanisms:

  • Cron Jobs
  • Modified Shell Profiles (e.g., .bashrc)
  • Untracked binary "hash" inside the local Umami project

โœ… Action & Recommendation

My server was rebuilt completely to ensure integrity.

I recommend users on old versions not only update Umami but also perform a deep integrity check for persistence files if they suspect a past compromise.

Thank you for the prompt update to the Umami codebase.

Database

PostgreSQL

Relevant log output


    
      
      
    
  


Which Umami version are you using? (if relevant)


2.19.0


Which browser are you using? (if relevant)


Chrome


How are you deploying your application? (if relevant)


Hetzner
Activity
amorgner
amorgner commented on Dec 7, 2025 
@amorgner
amorgner
on Dec 7, 2025 ยท edited by amorgner
Can confirm, happened on one of my servers, too, where Umami was running inside a docker container.


I discovered the following processes inside the umami docker container:


885 nextjs    3h26 /tmp/fghgf -c /tmp/config.json -B

7563 nextjs    0:00 qcxgxgtqh
7564 nextjs    3:11 qcxgxgtqh
7565 nextjs    3:25 qcxgxgtqh
7566 nextjs    0:00 [qcxgxgtqh]
7569 nextjs    2d14 /var/tmp/softirq -o 45.94.31.89:443 -u react -p 3cthDeQ5 --tls --randomx-1gb-pages --opencl --cuda -B


    
      
      
    
  


Also, the fghgf seems to span a health check process:


3161046 ?        Ssl  72531:04 /tmp/fghgf -c /tmp/config.json -B
3185135 ?        S      0:50 ash /tmp/health.sh
3201119 ?        S      0:49 ash /tmp/health.sh
3207170 ?        S      0:49 ash /tmp/health.sh


    
      
      
    
  


Content of the /tmp dir of the docker container:


/tmp $ ls -la
total 64624
drwxrwxrwt    1 root     root          4096 Dec  7 14:37 .
drwxr-xr-x    1 root     root          4096 Aug 18 09:14 ..
drwx------    2 nextjs   nogroup       4096 Dec  5 18:50 .ksoftirqd-private-f393y1moabubffpqvozboktusmfzqj1k-ksoftirqd-softirq.service-NjSR4
drwxr-xr-x    2 nextjs   nogroup       4096 Dec  5 14:29 .upower.service-utx2xg
-rwxr-xr-x    1 nextjs   nogroup    1505928 Dec  6 00:53 1764982384041_CeRYka5h_streamts
-rwxrwxrwx    1 nextjs   nogroup      50552 Dec  5 15:45 a
-rw-r--r--    1 nextjs   nogroup       7865 Dec  7 14:37 config.json
-rw-r--r--    1 nextjs   nogroup         24 Dec  7 14:20 contact.txt
-rwxr-xr-x    1 nextjs   nogroup       9800 Dec  7 11:34 f62f10ddtcp
-rwxrwxrwx    1 nextjs   nogroup    8334576 Dec  7 14:37 fghgf
-rwxrwxrwx    1 nextjs   nogroup        418 Dec  5 17:06 health.sh
-rwxr-xr-x    1 nextjs   nogroup    8693336 Dec  6 09:13 httprs
-rwxr-xr-x    1 nextjs   nogroup   46421977 Dec  7 11:37 install
-rwxr-xr-x    1 nextjs   nogroup       1336 Dec  7 11:37 install.sh
-rwxr-xr-x    1 nextjs   nogroup        250 Dec  5 17:30 kernelfix2
drwx------    2 nextjs   nogroup       4096 Dec  5 23:02 kodohabOnPhE
drwx------    2 nextjs   nogroup       4096 Dec  5 21:29 kodohanbkoai
drwxr-xr-x    1 root     root          4096 Jul 27 22:25 node-compile-cache
-rwxr-xr-x    1 nextjs   nogroup      98734 Dec  5 19:47 s.sh
-rw-r--r--    1 nextjs   nogroup        193 Dec  5 14:29 sys.sh
drwxr-xr-x    2 nextjs   nogroup       4096 Dec  7 11:37 trufflehog_install
-rwxr-xr-x    1 nextjs   nogroup     978928 Dec  6 01:12 udpapx
drwx------    2 nextjs   nogroup       4096 Dec  5 21:12 xr-realOKldag


    
      
      
    
  


I have saved everything from the docker container (/tmp, /var/tmp/ /home/nextjs) for evidence.
MichaelBelgium
MichaelBelgium commented on Dec 8, 2025 
@MichaelBelgium
MichaelBelgium
on Dec 8, 2025 ยท edited by MichaelBelgium
Duplicate of #3839 , was already confirmed back then


And already patched in 3.0.2 (3 days ago) or 2.20.0 (2 days ago)
Mubelotix
marked Got hacked, thank you Umami #3860 as a duplicate of this issue on Dec 9, 2025
jowo-io
jowo-io commented on Dec 14, 2025 
@jowo-io
jowo-io
on Dec 14, 2025 ยท edited by jowo-io
We recently had an incident where our umami frontend was triggerering popups which would open a gambling site. updated the server and the issue stopped. The popups were also being triggered on the main site that was importing the umami analytics script. Currently digging into the issue
NoobTW
mentioned this on Dec 16, 2025
nospi
nospi commented on Dec 16, 2025 
@nospi
nospi
on Dec 16, 2025
Hi @amorgner I've been hit with the same thing, same filenames but a different IP for the C2 server - hosted on AWS.


It was running in memory and had cleaned up the files under /tmp. I recovered the binary, but not the config.json.


What contents did you find in the files under /tmp? Presuming it was running some kind of crypto mining rig or something?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
      Development
      No branches or pull requests
        Participants
        @amorgner@MichaelBelgium@jowo-io@nospi@ehtishamsajjad
        Issue actions