RCE via Umami Dependency (Next.js CVE-2025-66478) Leads to Root Server Compromise

A critical vulnerability in Next.js (CVE-2025-66478) has been confirmed to have led to a root-level compromise on a server running the Umami analytics application. The report validates the exploit vector through Umami's use of the vulnerable Next.js version and details the attacker's post-exploitation activity for community awareness. After gaining root access, the attacker deployed stealthy persistence mechanisms including cron jobs, modified shell profiles (e.g., .bashrc), and an untracked binary named 'hash' within the local Umami project directory. The affected server was running Umami version 2.19.0 and was deployed on Hetzner. The server owner performed a complete rebuild to ensure integrity. The report recommends that users on old versions not only update Umami but also perform a deep integrity check for persistence files if they suspect a past compromise. This serves as a critical alert regarding the real-world exploitation of this Next.js vulnerability via a dependent application.