Security Briefing April 3, 2026 Β· 8 min read

Next.js React2Shell Exploited to Breach 766 Hosts at Scale, Drift Protocol Loses $280M in Solana Multisig Hack, Cisco Patches Two 9.8 CVSS Critical Flaws, ShareFile Pre-Auth RCE Chain Exposes 30K Instances

Cisco Talos exposes UAT-10608's mass exploitation of CVE-2025-55182 (React2Shell) to steal credentials from 766 Next.js hosts using the NEXUS Listener framework. DeFi platform Drift Protocol hemorrhages $280 million after attackers seize Security Council multisig powers on Solana. Cisco ships emergency patches for IMC authentication bypass (CVE-2026-20093) and SSM command injection (CVE-2026-20160), both rated 9.8 CVSS. Progress ShareFile pre-auth RCE chain threatens 30,000 internet-exposed instances. Apple broadens iOS 18.7.7 rollout to block the DarkSword exploit kit.


πŸ”΄ Next.js React2Shell Exploited at Scale β€” 766 Hosts Breached by NEXUS Listener Campaign

⚠️ CRITICAL β€” Patch Next.js Immediately (CVE-2025-55182, CVSS 10.0)

A large-scale automated credential harvesting operation is actively exploiting the React2Shell vulnerability in Next.js App Router deployments. At least 766 hosts across multiple cloud providers have been compromised. Rotate all secrets on any affected host.

Cisco Talos has published a detailed report on UAT-10608, a threat cluster running an industrial-scale credential harvesting operation by exploiting CVE-2025-55182 β€” the critical React Server Components / Next.js App Router flaw known as React2Shell that enables remote code execution.

The attack is highly automated: the threat actor scans for publicly reachable Next.js deployments, probes them for the vulnerability, and deploys the NEXUS Listener collection framework β€” a multi-phase harvesting toolkit now in its third major version.

What Gets Stolen

NEXUS Listener C2 Dashboard

The exfiltrated data feeds into a password-protected web GUI called NEXUS Listener V3, offering the attacker searchable access to all compromised hosts, stolen credentials, and analytics. Talos obtained data from an unauthenticated NEXUS Listener instance, confirming the breadth of the stolen material.

The indiscriminate targeting pattern suggests UAT-10608 uses automated scanners (Shodan, Censys, or custom) to identify vulnerable Next.js deployments at internet scale. Organizations running Next.js with App Router should patch immediately and rotate all secrets β€” AWS keys, database credentials, SSH keys, and API tokens β€” on any host that may have been exposed.


πŸ’° Drift Protocol Loses $280 Million in Sophisticated Solana Multisig Hack

⚠️ CRITICAL β€” All Drift Protocol Functions Frozen

$280M+ drained from Drift Protocol after an attacker hijacked Security Council multisig powers using pre-signed durable nonce transactions. Borrow/lend deposits, vault deposits, and trading funds are affected. Do not deposit funds.

The Drift Protocol, a leading DeFi trading platform on the Solana blockchain with 200,000 traders and $55 billion in total trading volume, lost at least $280 million in a meticulously planned heist that didn't exploit any smart contract vulnerability.

Attack Timeline

DateAction
March 23–30Attacker sets up durable nonce accounts, obtains 2/5 multisig approvals from Security Council members
April 1 (execution)Legitimate transaction executed, immediately followed by pre-signed malicious transactions
Minutes laterAdmin control transferred to attacker, malicious asset introduced, withdrawal limits removed
April 1 (drain)$280M+ drained from protocol reserves

What Makes This Attack Different

The attacker leveraged durable nonce accounts β€” a Solana feature that allows pre-signed transactions to remain valid indefinitely β€” to prepare the heist days in advance. By obtaining the minimum 2-of-5 Security Council approvals and pre-signing malicious transactions, the attacker could execute the drain with surgical precision at a chosen moment.

This wasn't a smart contract bug or a flash loan attack β€” it was a governance-level compromise that exploited the trust model of multisig administration. Drift is working with security firms, exchanges, and law enforcement to trace and freeze the stolen funds. DSOL is unaffected and insurance fund assets are secured.


πŸ›‘οΈ Cisco Patches Two 9.8 CVSS Critical Vulnerabilities in IMC and SSM

⚠️ CRITICAL β€” Patch IMC (CVE-2026-20093) and SSM (CVE-2026-20160) Immediately

Both vulnerabilities allow unauthenticated remote attackers to gain admin/root access. No workarounds available β€” patching is the only mitigation.

CVE-2026-20093 β€” IMC Authentication Bypass (CVSS 9.8)

A flaw in the Cisco Integrated Management Controller allows unauthenticated remote attackers to bypass authentication by sending crafted HTTP requests. Successful exploitation lets attackers alter passwords for any user, including Admins, and gain full system access.

Affected ProductFixed Version
5000 Series ENCS4.15.5
Catalyst 8300 Edge uCPE4.18.3
UCS C-Series M5/M6 Rack Servers4.3(2.260007), 4.3(6.260017), 6.0(1.250174)
UCS E-Series M33.2.17
UCS E-Series M64.15.3

CVE-2026-20160 β€” SSM On-Prem Command Injection (CVSS 9.8)

An unintentional exposure of an internal service in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root-level privileges via crafted API requests. Fixed in SSM On-Prem version 9-202601.

While neither flaw has been exploited in the wild yet, recent Cisco vulnerabilities have been rapidly weaponized by threat actors. With no workarounds available, immediate patching is the only defense.


πŸ“ Progress ShareFile Pre-Auth RCE Chain β€” 30,000 Instances Exposed

🟠 HIGH β€” Patch ShareFile Storage Zones Controller to 5.12.4

Two chained vulnerabilities enable unauthenticated remote code execution on Progress ShareFile Storage Zones Controller. Approximately 30,000 instances are internet-exposed.

Offensive security firm watchTowr has disclosed a devastating two-bug chain in Progress ShareFile Storage Zones Controller (SZC) β€” the on-premises component that gives enterprises control over their file storage:

Why This Matters

File transfer solutions are prime targets for ransomware groups β€” the Clop gang has previously hit Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, MOVEit Transfer, Gladinet CentreStack, and Cleo. With ~30,000 SZC instances exposed on the internet (700 confirmed by ShadowServer), this vulnerability chain follows the same high-value pattern.

Patches have been available since March 10 in ShareFile 5.12.4. Organizations running ShareFile with on-premises storage zones should treat this as an emergency priority.


🍎 Apple Expands iOS 18.7.7 to Block DarkSword Exploit Kit

Apple has expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect against the DarkSword exploit kit β€” an iOS attack toolkit active since July 2025, targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.

The expanded update now covers all iPhones from XR through iPhone 16e and a wide range of iPads. This is an unusual move for Apple β€” rather than requiring users to jump to iOS 26, the company is backporting critical security fixes to allow users to stay on iOS 18 while remaining protected.

Users with Automatic Updates enabled will receive the patch automatically. Those who haven't updated are urged to do so immediately.


πŸ“‹ Quick Hits


πŸ›‘οΈ Recommended Actions

  1. Next.js: Patch all Next.js App Router deployments against CVE-2025-55182 immediately. Rotate all secrets (AWS, SSH, database, API keys) on any potentially exposed host. Search for NEXUS Listener indicators of compromise.
  2. DeFi Governance: Review multisig configurations β€” ensure threshold requirements are sufficient and implement time-locks on admin operations. Monitor for pre-signed durable nonce transactions.
  3. Cisco: Apply patches for CVE-2026-20093 (IMC) and CVE-2026-20160 (SSM On-Prem) with no delay. No workarounds exist.
  4. ShareFile: Upgrade ShareFile Storage Zones Controller to version 5.12.4. Audit for webshells in the SZC webroot. Restrict SZC admin interface access to internal networks only.
  5. Apple: Ensure all iOS/iPadOS devices are updated to 18.7.7 or later. Enable Automatic Updates across your fleet.
  6. Claude Code Scam: Warn development teams about fake Claude Code repositories on GitHub distributing Vidar malware. Block ClaudeCode_x64.exe at endpoint level.

Stay Ahead of the Threat Curve

Get daily security intelligence delivered with zero noise.

Explore KENSAI β†’

KENSAI Security Briefing β€” April 3, 2026
Compiled from Cisco Talos, BleepingComputer, The Hacker News, watchTowr Labs, Apple Security Updates, and PeckShield intelligence feeds.

Related Articles

CVE-2026-35393: Arbitrary File Write/Upload in Go Security Falsas alertas de VS Code en GitHub propagan malware, Grupo pro-iranΓ­ hackea cue VENON Rust-bankmalware treft BraziliΓ«