Cisco Talos exposes UAT-10608's mass exploitation of CVE-2025-55182 (React2Shell) to steal credentials from 766 Next.js hosts using the NEXUS Listener framework. DeFi platform Drift Protocol hemorrhages $280 million after attackers seize Security Council multisig powers on Solana. Cisco ships emergency patches for IMC authentication bypass (CVE-2026-20093) and SSM command injection (CVE-2026-20160), both rated 9.8 CVSS. Progress ShareFile pre-auth RCE chain threatens 30,000 internet-exposed instances. Apple broadens iOS 18.7.7 rollout to block the DarkSword exploit kit.
A large-scale automated credential harvesting operation is actively exploiting the React2Shell vulnerability in Next.js App Router deployments. At least 766 hosts across multiple cloud providers have been compromised. Rotate all secrets on any affected host.
Cisco Talos has published a detailed report on UAT-10608, a threat cluster running an industrial-scale credential harvesting operation by exploiting CVE-2025-55182 β the critical React Server Components / Next.js App Router flaw known as React2Shell that enables remote code execution.
The attack is highly automated: the threat actor scans for publicly reachable Next.js deployments, probes them for the vulnerability, and deploys the NEXUS Listener collection framework β a multi-phase harvesting toolkit now in its third major version.
The exfiltrated data feeds into a password-protected web GUI called NEXUS Listener V3, offering the attacker searchable access to all compromised hosts, stolen credentials, and analytics. Talos obtained data from an unauthenticated NEXUS Listener instance, confirming the breadth of the stolen material.
The indiscriminate targeting pattern suggests UAT-10608 uses automated scanners (Shodan, Censys, or custom) to identify vulnerable Next.js deployments at internet scale. Organizations running Next.js with App Router should patch immediately and rotate all secrets β AWS keys, database credentials, SSH keys, and API tokens β on any host that may have been exposed.
$280M+ drained from Drift Protocol after an attacker hijacked Security Council multisig powers using pre-signed durable nonce transactions. Borrow/lend deposits, vault deposits, and trading funds are affected. Do not deposit funds.
The Drift Protocol, a leading DeFi trading platform on the Solana blockchain with 200,000 traders and $55 billion in total trading volume, lost at least $280 million in a meticulously planned heist that didn't exploit any smart contract vulnerability.
| Date | Action |
|---|---|
| March 23β30 | Attacker sets up durable nonce accounts, obtains 2/5 multisig approvals from Security Council members |
| April 1 (execution) | Legitimate transaction executed, immediately followed by pre-signed malicious transactions |
| Minutes later | Admin control transferred to attacker, malicious asset introduced, withdrawal limits removed |
| April 1 (drain) | $280M+ drained from protocol reserves |
The attacker leveraged durable nonce accounts β a Solana feature that allows pre-signed transactions to remain valid indefinitely β to prepare the heist days in advance. By obtaining the minimum 2-of-5 Security Council approvals and pre-signing malicious transactions, the attacker could execute the drain with surgical precision at a chosen moment.
This wasn't a smart contract bug or a flash loan attack β it was a governance-level compromise that exploited the trust model of multisig administration. Drift is working with security firms, exchanges, and law enforcement to trace and freeze the stolen funds. DSOL is unaffected and insurance fund assets are secured.
Both vulnerabilities allow unauthenticated remote attackers to gain admin/root access. No workarounds available β patching is the only mitigation.
A flaw in the Cisco Integrated Management Controller allows unauthenticated remote attackers to bypass authentication by sending crafted HTTP requests. Successful exploitation lets attackers alter passwords for any user, including Admins, and gain full system access.
| Affected Product | Fixed Version |
|---|---|
| 5000 Series ENCS | 4.15.5 |
| Catalyst 8300 Edge uCPE | 4.18.3 |
| UCS C-Series M5/M6 Rack Servers | 4.3(2.260007), 4.3(6.260017), 6.0(1.250174) |
| UCS E-Series M3 | 3.2.17 |
| UCS E-Series M6 | 4.15.3 |
An unintentional exposure of an internal service in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root-level privileges via crafted API requests. Fixed in SSM On-Prem version 9-202601.
While neither flaw has been exploited in the wild yet, recent Cisco vulnerabilities have been rapidly weaponized by threat actors. With no workarounds available, immediate patching is the only defense.
Two chained vulnerabilities enable unauthenticated remote code execution on Progress ShareFile Storage Zones Controller. Approximately 30,000 instances are internet-exposed.
Offensive security firm watchTowr has disclosed a devastating two-bug chain in Progress ShareFile Storage Zones Controller (SZC) β the on-premises component that gives enterprises control over their file storage:
File transfer solutions are prime targets for ransomware groups β the Clop gang has previously hit Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, MOVEit Transfer, Gladinet CentreStack, and Cleo. With ~30,000 SZC instances exposed on the internet (700 confirmed by ShadowServer), this vulnerability chain follows the same high-value pattern.
Patches have been available since March 10 in ShareFile 5.12.4. Organizations running ShareFile with on-premises storage zones should treat this as an emergency priority.
Apple has expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect against the DarkSword exploit kit β an iOS attack toolkit active since July 2025, targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
The expanded update now covers all iPhones from XR through iPhone 16e and a wide range of iPads. This is an unusual move for Apple β rather than requiring users to jump to iOS 26, the company is backporting critical security fixes to allow users to stay on iOS 18 while remaining protected.
Users with Automatic Updates enabled will receive the patch automatically. Those who haven't updated are urged to do so immediately.
ClaudeCode_x64.exe at endpoint level.Get daily security intelligence delivered with zero noise.
Explore KENSAI βKENSAI Security Briefing β April 3, 2026
Compiled from Cisco Talos, BleepingComputer, The Hacker News, watchTowr Labs, Apple Security Updates, and PeckShield intelligence feeds.