Today, Wiz (Woogle?) released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together. You can find a brief writeup and search queries for runZero at:
runZero
IngressNightmare: Find affected Ingress-NGINX controller instances
IngressNightmare is a set of four injection flaws linked by a fifth issue, forming an attack chain. Here’s how to find any impacted services usin...
 image
The researchers who found the Next.js middleware vulnerability (CVE-2025-29927) have released the full paper:
zhero_web_security
Next.js and the corrupt middleware: the authorizing artifact
CVE-2025-29927
 Notable is that the auth bypass requires the x-middleware-subrequest value to be one of these two forms: middleware:middleware:middleware:middleware:middleware OR src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone. You can find links to the advisory and queries for runZero at:
runZero
Next.js vulnerability CVE-2025-29927: How to find affected assets
On March 22nd, Next.js disclosed an authentication bypass vulnerability. Here's how to find Next.js systems on your network.
The worst part of the Unciphered story isn't that accused-rapist Morgan Marquis-Boire was a co-founder and only his alias "Frank Davidson" was known to employees; it is that Eric Michaud co-founded the company with him and conspired to keep the team from knowing about it. Infosec has its pariahs for a reason (Cap'n Crunch, Jacob Applebaum, Morgan Marquis-Boire, and to a lesser degree Christopher Hadnagy): https://archive.ph/IQ7SK