Infra vulnerabilities

IngressNightmare was a chain of five vulnerabilities in the Ingress-NGINX Controller for Kubernetes disclosed on 24 March 2025 by the Wiz Research team, the most severe being CVE-2025-1974 (CVSS 9.8), which enabled unauthenticated remote code execution from the pod network. Wiz estimated about 43% of cloud environments were vulnerable and identified over 6,500 publicly exposed clusters, including Fortune 500 organizations. The controller's validating admission webhook ran as an unauthenticated HTTP endpoint reachable by any workload on the pod network, accepting attacker-supplied AdmissionReview requests containing crafted Ingress objects. The supporting CVEs (CVE-2025-24514 auth-url, CVE-2025-1097 auth-tls-match-cn, CVE-2025-1098 mirror UID, CVE-2025-24513 path bypass) injected unsanitized NGINX configuration directives via annotations into a temporary config the controller validated with nginx -t. The attacker uploaded a shared-library payload by abusing NGINX client-body buffering (an oversized Content-Length keeps the request file descriptor open in ProcFS) and then used the injected ssl_engine directive to load that library during validation, achieving code execution in the controller pod whose service account could read all cluster secrets across namespaces, enabling full cluster takeover.

On August 15, 2024, Palo Alto Networks Unit 42 detailed a large-scale extortion campaign that compromised cloud environments by harvesting exposed environment variable files. Attackers scanned at least 110,000 domains and collected over 90,000 unique variables, including roughly 7,000 cloud service credentials and 1,515 social media credentials, with their infrastructure probing around 230 million targets. The vector was a web server misconfiguration: .env files inside the web root were served as plaintext over HTTP because the servers had no rule denying access to dotfiles, exposing the long-lived AWS IAM access keys hardcoded inside. The initial IAM principals lacked full admin but retained permission to create roles and users, so attackers called CreateRole and attached AdministratorAccess to escalate, then spun up Lambda functions across regions to automate further internet-wide scanning. They used the victims' own AWS accounts to exfiltrate and delete S3 objects, then uploaded ransom notes demanding payment. The failure chain combined exposed dotfiles, long-lived hardcoded credentials, and over-permissioned IAM, not any cloud-provider flaw.

In research disclosed to AWS on February 16, 2024 and presented at Black Hat USA and DEF CON 32 in August 2024, Aqua Security's Nautilus team described a class of S3 bucket-name takeover attacks they called Bucket Monopoly, affecting CloudFormation, Glue, EMR, SageMaker, Service Catalog, and CodeStar. These services auto-created S3 buckets with predictable names built from static prefixes plus the account ID and region, such as cf-templates-{hash}-{region}, aws-glue-assets-{account-id}-{region}, and sagemaker-{region}-{account-id}, where account IDs are discoverable from ARNs, access keys, and public repos. Because S3 bucket names are globally unique, an attacker could pre-create a victim's predictably named bucket in a region the victim had not yet used (a Shadow Resource), then the victim's service would later read attacker-controlled content from it. This enabled data tampering, information disclosure, remote code execution by injecting malicious Glue or CloudFormation content, and in some cases full account takeover via planted admin roles; AWS remediated by adding randomized suffixes to bucket names and enforcing aws:ResourceAccount conditions. The class also covers reuse of abandoned or dangling bucket names that a victim configuration still references.

A signal-handler race condition in OpenSSH's server (sshd) on glibc-based Linux. If a client fails to authenticate within the LoginGraceTime window, the SIGALRM handler calls async-signal-unsafe functions, which an attacker can interrupt at a precise moment to corrupt the heap and achieve unauthenticated remote code execution as root. It is a regression of the 2006 CVE-2006-5051, reintroduced in OpenSSH 8.5p1. Exploitation is non-trivial, requiring thousands of race attempts, but Qualys reported roughly 4.8 million internet-exposed instances as potentially affected.

Exposed Docker API is a recurring misconfiguration class in which the Docker remote API (default TCP 2375 plaintext, 2376 TLS) is published to untrusted networks without TLS or authentication, granting anyone who reaches it full control of the daemon. Because dockerd runs as root and the unauthenticated API permits arbitrary container creation, an attacker can launch a privileged container that bind-mounts the host root filesystem and then chroots into it to escape to the host. The Commando Cat campaign, reported in 2024 by Cado Security and analyzed by Trend Micro (advisory dated 13 June 2024), abused exactly this exposure: it deployed a benign image (cmd.cat/chattr) generated by the open-source Commando project, then used chroot and volume binding of the host's root directory into the container to break out and run host-level payloads. The delivered payloads installed cryptocurrency miners, registered persistence and a stealthy backdoor (including DropBear SSH on TCP 3022), and exfiltrated host and cloud-service-provider credentials. Shell-script and command-and-control infrastructure overlapped with the TeamTNT cryptojacking group.

Leaky Vessels was a set of container-escape vulnerabilities disclosed on 31 January 2024 by Rory McNamara of Snyk Security Labs, the headline flaw being CVE-2024-21626 (CVSS 8.6, runc 1.1.11 and earlier). It was an order-of-operations file-descriptor leak in runc's handling of the process working directory (WORKDIR / process.cwd). During container setup runc left an internal file descriptor referencing the host filesystem namespace open before all privileged descriptors were closed, so a malicious image or a build using a malicious Dockerfile or upstream FROM could set the working directory to that leaked descriptor via a path like /proc/self/fd/7. Because chdir occurred before the descriptor was closed, the container process gained a working directory in the host filesystem and could read and write host files, breaking container isolation and escaping to the underlying host. Related Docker BuildKit issues were disclosed alongside it: CVE-2024-23651 (mount cache race), CVE-2024-23652 (build-time arbitrary delete), and CVE-2024-23653 (GRPC SecurityMode privilege check bypass). The flaw was fixed in runc 1.1.12.

Exposed Terraform state is an Infrastructure-as-Code hygiene failure class in which the terraform.tfstate file leaks credentials because Terraform records every managed resource attribute, including secrets, in cleartext JSON by default. HashiCorp documents that Terraform stores state in a plaintext file that includes any secret values defined in the configuration, so database passwords, IAM access keys, TLS private keys, and API tokens are written verbatim into state. The exposure paths are concrete and repeatedly observed: state committed to a public or private git repository without a .gitignore rule, state left in a world-readable or misconfigured S3 bucket, state captured in CI/CD logs, or state held in a remote backend that lacks encryption at rest and access controls. Numerous terraform.tfstate files have been found in public GitHub repositories and open S3 buckets, and because the file is effectively a master key to the infrastructure, an attacker who reads it obtains working credentials and bypasses the perimeter entirely without exploiting any vulnerability.

A sensitive-information-disclosure flaw (memory buffer over-read) in NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server. A specially crafted request leaks memory contents including valid session tokens, letting an unauthenticated attacker hijack authenticated sessions and bypass passwords and MFA. Mandiant confirmed zero-day exploitation since late August 2023, about six weeks before the patch, followed by mass exploitation. LockBit 3.0 ransomware affiliates and multiple nation-state groups used it for initial access. NVD scores it 7.5 High while Citrix rates it 9.4 Critical.

An unauthenticated SQL injection flaw in the MOVEit Transfer managed file transfer web application that lets an attacker access and manipulate the backend database. The Cl0p ransomware gang exploited it as a zero-day starting May 27, 2023, chaining it to deploy a LEMURLOOT web shell and exfiltrate stored files at scale. It became one of the largest mass data-theft events on record, with roughly 2,700 organizations and more than 84 million individuals affected, including Zellis, Siemens Energy, Schneider Electric, and numerous government entities.

On 24 May 2023 Dig Security disclosed a privilege-escalation chain in Google Cloud SQL for SQL Server, originally reported to Google in February 2023, that let an attacker escalate from a limited database role to full system administrator and reach the host operating system. The chain first abused a gap in GCP's security hardening to add the attacker's user to DbRootRole, an elevated GCP admin role that nonetheless lacked full SQL Server permissions, then exploited a further misconfiguration in the role permission architecture to grant the SQL Server sysadmin role and obtain complete control of the database engine. With sysadmin rights the researchers reached the underlying container and host OS, letting them list privileged paths, read sensitive files and extract secrets, including internal GCP data and credentials related to the managed service. This was a provider-side flaw under shared responsibility that customers could not patch; Google remediated it in April 2023 and it was found and reported by researchers with no evidence of exploitation in the wild.

On May 12, 2023, Toyota disclosed that a cloud environment managed by its Toyota Connected subsidiary had exposed data on roughly 2.15 million customers, essentially the entire Japanese user base of its T-Connect, G-Link, G-Link Lite, and G-BOOK connected services registered since November 2013. The data was exposed from November 6, 2013 to April 17, 2023, nearly a decade, and included in-vehicle GPS terminal IDs, vehicle chassis numbers, location history with timestamps, and a subset of drive-recorder video footage, but not names, credit cards, or other directly identifying personal data. The root cause was a cloud database misconfigured to be publicly accessible instead of private, attributed to human error during setup and allowing unauthenticated internet access. Toyota cited a lack of active detection mechanisms and insufficient enforcement of data-handling rules, which is why the misconfiguration persisted undetected for years. A follow-up disclosure on May 31, 2023 found additional misconfigured cloud services exposing around 260,000 more customers.

On September 24, 2022 SOCRadar discovered a misconfigured Microsoft Azure Blob Storage endpoint that exposed roughly 2.4 TB of business data spanning 65,000+ entities across 111 countries, with files dated from 2017 to August 2022, though Microsoft disputed the entity count as exaggerated. The exposed data included customer names, email addresses, phone numbers, company names, and business transaction documents such as signed invoices, proof-of-execution and statement-of-work files, and product offers. The low-level misconfiguration was that the Blob Storage endpoint's access level was set to allow anonymous public access instead of requiring authentication, so the container and its blobs were readable over the internet without any credential. Microsoft's Security Response Center attributed it to an unintentional misconfiguration on an endpoint not in use and reconfigured it to require authentication, stating it found no indication that accounts or systems were compromised.

A remote code execution flaw in the Microsoft Support Diagnostic Tool (MSDT) triggered when MSDT is invoked via the ms-msdt: URL protocol from a calling application such as Word. A malicious Office document, even via the preview pane or RTF without macros, loads a remote HTML payload that abuses MSDT to execute arbitrary code with the privileges of the calling application. It was actively exploited as a zero-day before patching and used to deliver malware in real-world phishing campaigns.

A remote code execution flaw in the Spring Framework's data-binding mechanism. On JDK 9 and later, an unauthenticated attacker can manipulate request parameters to access the ClassLoader and write a malicious JSP web shell to disk, achieving RCE. Exploitation specifically targets Spring MVC and WebFlux applications deployed as WAR files on Apache Tomcat. It was mass-exploited within days of disclosure to deploy cryptocurrency miners and the Mirai botnet.

Apache Log4j 2 performs JNDI lookups on attacker-controllable log message content without restricting protocols. An attacker who gets a crafted string such as ${jndi:ldap://...} logged causes the server to fetch and execute arbitrary code from a remote LDAP/RMI server, yielding full unauthenticated remote code execution. Because logging user-supplied input is ubiquitous, it affected millions of Java applications and devices worldwide. Within hours of disclosure attackers mass-scanned the internet to drop coin miners, Cobalt Strike, and ransomware.

On 14 September 2021 Wiz disclosed OMIGOD, a set of four flaws in Open Management Infrastructure (OMI), an agent that Azure silently auto-deploys onto many Linux VMs via services such as Log Analytics, Azure Automation, Azure Diagnostics and Defender for Cloud. The flagship bug, CVE-2021-38647 (CVSS 9.8), gave unauthenticated remote code execution as root, while CVE-2021-38645, CVE-2021-38648 and CVE-2021-38649 were local privilege escalations. The agent ran as root and could expose a management port (5985, 5986 or 1270); because the authorization code left the AuthInfo struct at its zero-initialized default of uid 0 and gid 0, a request that omitted the Authorization header was treated as an authenticated root request, so a single crafted packet yielded root code execution. This was a provider-side flaw under shared responsibility that most customers did not know was installed and could not patch themselves. Unlike the other entries here it was exploited in the wild within days, with attackers scanning for exposed agents and dropping Mirai botnet and cryptominer payloads.

On 9 September 2021 Palo Alto Unit 42 researcher Yuval Avrahami disclosed Azurescape, described as the first cross-account container takeover in a public cloud, in which a malicious container on Azure Container Instances could escape and gain control over other customers' containers running on the shared multitenant Kubernetes cluster. ACI ran an outdated container runtime, runC v1.0.0-rc2, which was vulnerable to CVE-2019-5736, letting the attacker break out of the container and execute code as root on the underlying Kubernetes node. From the node the researcher found the bridge pod, which serviced az container exec calls, sent a Kubernetes service-account token in the Authorization header to a Kubelet that also allowed anonymous access; decoding that token (related to CVE-2018-1002102) granted pods/exec rights across all namespaces and control of the api-server, and thus the whole multitenant cluster. This was a provider-side flaw under shared responsibility that customers could not patch; Unit 42 found it and reported it with no knowledge of exploitation in the wild.

On 25 August 2021 Wiz researchers Nir Ohfeld and Sagi Tzadik disclosed ChaosDB, a cross-tenant flaw in Azure Cosmos DB that let any customer retrieve the primary access keys, certificates and connection details of several thousand other customers' database accounts, enabling full cross-tenant read, write and delete. The chain abused the Cosmos DB built-in Jupyter Notebook feature, which had been enabled by default since February 2021. A notebook ran attacker C# code as root while Python ran unprivileged, giving container root, after which the attacker removed iptables rules to reach the WireServer (168.63.129.16) and Instance Metadata endpoints. Querying WireServer yielded roughly two dozen Microsoft certificates, including private keys for internal Cosmos DB and notebook services, which were used to authenticate to internal Service Fabric clusters, enumerate every customer's Cosmos DB instance and decrypt their stored COSMOSDB_ACCOUNT_KEY and notebook auth tokens. This was a provider-side flaw under shared responsibility that customers could not patch; it was found and reported by researchers with no evidence of exploitation in the wild.

On August 23, 2021, UpGuard disclosed that misconfigured Microsoft Power Apps portals exposed roughly 38 million records across 47 organizations, including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the State of Indiana, New York City agencies, and Microsoft itself. Exposed data included names, email addresses, phone numbers, social security numbers, and COVID-19 contact tracing and vaccination appointment information. Power Apps portals surface list data through OData list feeds reachable at predictable URLs, and access to those feeds is gated by Table Permissions, but Table Permissions were disabled by default on every list. Because security was opt-in, any portal where a developer enabled an OData feed without explicitly configuring and enabling Table Permissions returned its records to any unauthenticated visitor querying the OData endpoint. This is an insecure-default access-control misconfiguration where the platform defaulted to anonymous read rather than deny.

A remote code execution flaw in the Windows Print Spooler service allows an authenticated domain user to load a malicious printer driver DLL and execute code as SYSTEM, both locally and remotely. A working proof-of-concept was accidentally published before a patch existed, so Microsoft assigned a new identifier and shipped out-of-band fixes. Because nearly every Windows host, including domain controllers, runs the spooler, it gave attackers a near-universal lateral-movement and privilege-escalation primitive. It was exploited in ransomware intrusions by Vice Society, Conti, and Magniber.

A server-side request forgery flaw in on-premises Exchange Server lets an unauthenticated attacker send arbitrary HTTP requests and authenticate as the Exchange server itself. It was the entry point in the ProxyLogon exploit chain, combined with CVE-2021-27065 for post-authentication RCE, enabling full unauthenticated remote code execution. Microsoft attributed initial zero-day exploitation to the China state-sponsored group HAFNIUM, but after the patch dropped at least ten threat groups mass-compromised servers. Microsoft reported roughly 400,000 vulnerable servers on March 1, 2021, and tens of thousands of organizations were breached.

On February 3, 2021, Palo Alto Networks Unit 42 reported Hildegard, the first known TeamTNT campaign targeting Kubernetes, detected in January 2021. The attackers gained initial access through a misconfigured kubelet: the kubelet read-write API on port 10250 was reachable and accepted anonymous, unauthenticated requests because it was configured with --anonymous-auth set to true and --authorization-mode set to AlwaysAllow, the insecure legacy defaults shipped by some self-managed clusters. Anyone who could reach port 10250 could call the kubelet run-command API to execute commands inside running pods with no credentials. The attackers used this to exec into pods, move laterally across containers, scan for more exposed kubelets, and harvest cloud access keys, SSH keys, Docker credentials, and service-account tokens from the environment. They then deployed the XMRig Monero miner for cryptojacking, using a tmate reverse shell and IRC for command and control and LD_PRELOAD injection to hide processes. The misconfiguration class is missing authentication caused by an insecure default on an internet-reachable management port.

A misconfigured ModSecurity web application firewall on an AWS EC2 instance was abused via server-side request forgery to reach the EC2 Instance Metadata Service at 169.254.169.254 and retrieve the temporary IAM credentials of the WAF's role. Because that role was over-privileged, the attacker used the stolen credentials to exfiltrate data from Capital One's S3 buckets. Roughly 100 million US individuals and 6 million Canadians were exposed, including about 140,000 Social Security numbers and 80,000 linked bank account numbers. Attacker Paige Thompson, a former AWS engineer, was arrested July 29, 2019 and later convicted. The incident directly motivated AWS's release of IMDSv2.

Incorrect handling of error responses to proxied upgrade requests in kube-apiserver lets a specially crafted request establish a connection to a backend server and then send arbitrary requests over that same connection directly to the backend, authenticated with the API server's own TLS credentials. This enables privilege escalation, including from an unauthenticated user via aggregated API servers and from a low-privileged user to cluster-admin-level access on backend kubelets. Impact spans all secrets, pods, environment variables, and running containers on affected nodes. It was the first major critical CVE in Kubernetes.

Exposed etcd is a misconfiguration class in which the etcd key-value store backing the Kubernetes API server is reachable on its client port (TCP 2379, with 2380 used for peer traffic) without client-certificate authentication. etcd is the single source of truth for a cluster and stores the entire cluster state, including all Secrets, service-account tokens, credentials, ConfigMaps, and RBAC rules, so reading it bypasses Kubernetes RBAC entirely and writing to it lets an attacker alter cluster state and take over the cluster. etcd shipped insecure by default: it had no authentication before version 2.1 (July 2015) and client-certificate authentication remained off by default for backward compatibility, and its authorization model is effectively all-or-nothing once access is granted. In March 2018, researcher Giovanni Collazo demonstrated the scale by querying Shodan and finding 2,284 etcd servers exposed to the internet without authentication; a short script then harvested roughly 750 MB of data including thousands of passwords, hundreds of AWS access keys, and private keys. The root cause is an etcd endpoint listening on a network-reachable interface without TLS client-certificate authentication enforced.

Tesla's Kubernetes administrative console was exposed to the internet without password protection, allowing attackers to access it and discover Tesla's AWS access credentials stored within. The attackers used the environment to run cryptomining software inside Tesla's AWS, employing evasion techniques such as hiding the mining pool behind CloudFlare, using a non-standard mining endpoint, and throttling CPU usage to avoid detection. It was discovered by the RedLock Cloud Security Intelligence team, later part of Palo Alto Networks Prisma Cloud, and Tesla remediated within hours stating no customer or vehicle data was compromised.

On October 10, 2017, UpGuard publicly disclosed that Accenture had left four Amazon S3 buckets exposed, originally found by researcher Chris Vickery on September 17, 2017. The buckets were named acp-deployment, acpcollector, acp-software, and acp-ssl under the Accenture Cloud Platform prefix, with the largest holding 137GB. They were configured for public access, so anyone who entered or guessed the bucket URL could download the contents with no authentication, and because the S3 subdomain matched the bucket name the names were predictable. Exposed material included a master access key for Accenture's AWS KMS account stored in plaintext, internal Identity API credentials, nearly 40,000 plaintext passwords in a database backup, private signing and decryption keys, certificates, VPN keys, and Google and Azure credentials. The root cause was an S3 public-read misconfiguration: buckets that are private by default had been reconfigured to allow anonymous access, contradicting the secure default.

On June 12, 2017 UpGuard analyst Chris Vickery discovered an Amazon S3 bucket owned by Republican data firm Deep Root Analytics that exposed about 1.1 TB of personal data and modeled political preferences on roughly 198 million American voters, and it was secured on June 14, 2017. The exposed records included names, dates of birth, home addresses, phone numbers, voter registration details, party affiliation, and modeled ethnicity and religion linked by 32-character RNC IDs, compiled with contractors TargetPoint and Data Trust. The low-level misconfiguration was that the bucket, reachable at the six-character Amazon subdomain dra-dw, had its access control set to public so anyone could list and download its objects without authentication; the firm said the data was exposed after a settings change on June 1, 2017. This is the canonical example of a large-scale public-read S3 bucket leaking sensitive PII to the open internet.

Tens of thousands of MongoDB instances were left exposed to the internet with no authentication on the admin account, a known insecure default in older versions. Multiple attacker groups scanned the internet via Shodan, connected anonymously, exfiltrated or deleted the database contents, and left a ransom note demanding Bitcoin. By early January 2017 roughly 10,500 servers, about a quarter of all internet-facing MongoDB databases, were hit, and cumulative waves through 2017 ruined over 45,000 databases. Many victims who paid recovered nothing because competing crews overwrote each other's ransom notes and in many cases never copied the data.

GNU Bash mishandles trailing strings after function definitions stored in environment variables, executing them as commands when the variable is imported. Any service that passes attacker-controlled data into environment variables before invoking Bash, such as Apache CGI scripts, OpenSSH ForceCommand, or DHCP clients, can be tricked into running arbitrary commands remotely. Within hours of disclosure, botnets were mass-scanning and exploiting unpatched systems. The trivial exploitability and the ubiquity of Bash across Unix, Linux, and embedded devices made it one of the most severe vulnerabilities of its era.

A missing bounds check in OpenSSL's TLS/DTLS heartbeat extension lets a remote attacker request more data than they supplied, causing the server to return up to about 64KB of adjacent process memory per request. Repeated requests can leak private keys, session cookies, usernames, and passwords without leaving traces. It affected a large share of HTTPS servers on the internet at disclosure. The Community Health Systems breach, theft of roughly 4.5 million patient records in 2014, was attributed to Heartbleed exploitation of a vulnerable device.