惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Simon Willison's Weblog
Simon Willison's Weblog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
About on SuperTechFans
Last Week in AI
Last Week in AI
月光博客
月光博客
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Check Point Blog
U
Unit 42
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
小众软件
小众软件
P
Palo Alto Networks Blog
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
S
Secure Thoughts
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
Recorded Future
Recorded Future
O
OpenAI News
S
Securelist
云风的 BLOG
云风的 BLOG
H
Help Net Security
T
Troy Hunt's Blog

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Top 7 Cloud Security Vulnerabilities
2025-12-04 · via Aikido Security's Blog

In cloud environments, every service, integration and configuration choice can introduce its own set of risks. As cloud adoption increases, so does the attack surface. 

In this post, we will highlight seven cloud security vulnerabilities that teams face today. We’ll break down how each one works, the impact, and what you can do to mitigate or prevent it entirely.

Top 7 cloud security vulnerabilities at a glance:

  • IMDS Vulnerability 
  • Kubernetes Vulnerabilities
  • Weak Network Segmentation
  • FluentBit Vulnerabilities 
  • Container image vulnerabilities
  • Misconfigured firewalls
  • Misconfigured serverless Functions 

Cloud security vulnerabilities are weaknesses or misconfigurations in your cloud environment that attackers can exploit to compromise the underlying infrastructure your applications run on or any other part of your cloud setup.

Cloud security evolved as a response to the shift from on-premise deployments to cloud-native environments. In the past, every company had its own unique deployment pattern, which meant not all attack vectors applied to everyone. That’s no longer the case.

The cloud creates a level playing field. Teams use similar services, similar defaults, and similar deployment patterns. This means many organizations end up making the same mistakes. For example, companies frequently leak sensitive information through misconfigured object storage, and attackers have learned to spot this across multiple targets. 

Understanding which services and configurations can become attack vectors starts with assessing your own infrastructure and how each component is exposed.

Common Reasons Cloud Security Vulnerabilities Happen

The following are a few reasons why we keep having recurring events of cloud security vulnerabilities: 

  • Developer Velocity: Teams are pushed to ship quickly, and speed often wins over security. Using the “latest” version of a container image or package is fast, but in a world of increasing supply chain attacks, “latest” can easily be an infected or compromised version.
  • Lack of Guardrails: Moving fast shouldn’t create security gaps, but without proper controls in place, teams unintentionally introduce risks into the environment.
  • Unintegrated Security Tools: Developers may have tools for image scanning or static analysis, but these tools are rarely part of a repeatable, automated workflow. This makes security inconsistent and easy to skip.
  • Unclear Ownership: Security is still treated as a checkbox or something a separate team handles. With blurred responsibilities and no clear understanding of what “good security” looks like especially around IAM, vulnerabilities slip through.

How Attackers Exploit Cloud Security Vulnerabilities

As you will see shortly attackers will often leverage a legitimate service to gain a foothold on your infrastructure, this could be through a public S3 bucket with write access or a public endpoint and subsequently pivot by escalating privileges by abusing IAM roles or misconfigured resources.

For an attacker is to leverage resources least likely to arouse suspicions and use this to exfiltrate as much data as they can. We go into more detail in the sections below. 

The Top 7 Cloud Security Vulnerabilities

With an understanding of what cloud security vulnerabilities are, here are the top seven cloud security vulnerabilities:

1. IMDS Vulnerability 

Instance Metadata Service(IMDS)  is a service that runs on every cloud provider which provides a compute service that allows temporary credentials to be used by applications running on cloud compute. This enables services to securely access other cloud services without needing to hardcode credentials on the machine.

As you might expect, in recent times this has been abused. An example of such is CVE-2025-51591, which affected systems running Pandoc,a document conversion utility.

The attacker submitted crafted HTML documents containing <iframe> elements whose src attributes targeted the AWS IMDS endpoint at 169.254.169.254. The objective was to render and exfiltrate the content of sensitive paths, specifically /latest/meta-data/iam/info and /latest/meta-data/iam.

The vulnerability in panic has since been patched. However, the attack was neutralized by the mandatory use of IMDSv2, which invalidates stateless GET requests, such as those initiated by an <iframe>. If the application were running in an environment still dependent on the IMDSv1 protocol, this attack vector would likely have resulted in credential compromise.

While Pandoc is a specific exploitation of a legitimate service, it's important to be watchful of how your applications interact with the host,since Pandoc is a Linux utility that had to be installed on the instance, this highlights how even seemingly benign tools can become attack vectors when they interact with sensitive cloud services.

Severity: Medium → High

2. Kubernetes Vulnerabilities

Disclosed via the Kubernetes bug bounty program, CVE-2020-8559 is a vulnerability that abuses the default service account token to enable privilege escalation within Kubernetes clusters.

Successful exploitation of this vulnerability could lead to privilege escalation from a compromised node to cluster-level access. If multiple clusters share the same certificate authority trusted by the client and authentication credentials, an attacker could potentially redirect the client to another cluster, leading to a full cluster compromise.

If you have ever run Kubernetes in production, you would understand why this is an issue. Cluster upgrades are rarely as simple as clicking upgrade and calling it a day, when you have set processes in place, it is hard to break them. CVE-2020-8559 required users to upgrade the kube-apiserver to patched versions: v1.18.6, v1.17.9, or v1.16.13.

When a full cluster takeover occurs, it is not hard to see how compromised nodes can be abused in conjunction with IMDS to pivot further into your cloud environment, accessing credentials and lateral moving to other services. 

Severity: High → Critical

3. Weak Network Segmentation

Not every attack is sophisticated; sometimes failure to adhere to the basics is how many organizations end up in the news, and an example of such is segmenting your networks.

While network segmentation isn't cloud-specific, cloud complexity makes proper segmentation far harder and more impactful when done wrong. Cloud sprawl makes segmentation failures extremely common.

For small teams with one or two services on a few VMs, it might be overkill, but for more mature teams running multiple services across availability zones or even multi-cloud, having a flat structure where every service is on the same network with little to no security policies is a recipe for disaster.

The 2013 Target breach is a textbook example of what happens when networks aren't properly segmented. Attackers initially compromised a third-party HVAC vendor with access to Target's network, then moved laterally across the flat network architecture to reach the payment card systems, ultimately stealing 40 million credit card numbers and 70 million customer records. Proper network segmentation would have contained the data breach to the HVAC systems, preventing access to sensitive payment infrastructure, all while still meeting compliance requirements.

Leveraging Cloud Security Posture Management (CSPM) tools will enable you to quickly understand the layout of your cloud environment and figure out what portions of your network require a second look at your cloud architecture to prevent similar lateral movement attacks.  This all ties into the concept of zero-trust security as the new default for your cloud architecture, which can help in your compliance endeavours. 

Severity: Medium -> High

4. FluentBit Vulnerabilities

While this is a new set of vulnerabilities, Fluent Bit has been a core component of the cloud-native ecosystem for a long time, providing a lightweight agent for shipping cloud logs and metrics to remote backends. This is critical for microservices that require centralized logging or large-scale log backups.

In a series of vulnerabilities disclosed in early 2025, CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, and CVE-2025-12969, attackers can exploit path traversal flaws, buffer overflows, tag spoofing, and authentication bypasses to execute arbitrary code, tamper with logs, and inject malicious telemetry. These vulnerabilities affect versions 4.1.x < 4.1.1 and 4.0.x < 4.0.12.

In the worst-case scenario, these flaws can lead to full cloud environment compromise, especially when Fluent Bit runs with elevated privileges or has access to sensitive credentials.

The authentication bypass (CVE-2025-12969) is particularly concerning for configurations using Security.Users without a Shared_Key, which can disable authentication entirely. This allows remote attackers to hide malicious activity or exfiltrate logs while operators believe their systems are secure.

CVE-2025-12972 is also critical because it allows full remote access due to unsanitized tag values being used to generate output filenames, enabling attackers to write files to disk.

Much like the SSH vulnerability, Fluent Bit is typically deployed across a fleet of instances in cloud environments. For this reason, it’s essential to leverage a tool that provides full visibility into your instances and helps prioritize which ones to patch first.

Severity: High ->Critical

5. Container Image Vulnerabilities

Container images could be an entire article, which we did, check that out here. Over the years, container images have seen mass adoption thanks to Docker and the broader cloud-native ecosystem. This popularity also makes them an attractive target for attackers, as seen with Fluent Bit, which was pulled 4.7 million times in a single week of November alone.

Container image vulnerabilities

A compromise or critical vulnerability, such as CVE-2025-12972, could spell disaster for many organizations.

Managing multiple container images at scale is challenging. Teams often rely on different versions of the same image, and not all security warnings are actionable. Container image monitoring is therefore a continuous process, not a one-off task. 

Here at Aikido we understand that keeping container images isn’t as simple as “just update.” Anyone who’s tried it in production understands how far from easy it is.  Simply bumping to the latest image can shatter your build, break runtime dependencies, and introduce subtle bugs that only appear in production. Which is why we have teamed up with folks at Root.io to bring you Autofix which gives you the ability to upgrade your base image in one click,

Severity: Medium -> High 

6. Misconfigured firewalls

In 2019, Capital One experienced a significant cloud security breach in history, affecting over 100 million customers. The attack was an expensive example of how a single misconfiguration can snowball into a full-scale data breach.

The threat actor exploited a Server-Side Request Forgery (SSRF) vulnerability in Capital One's Web Application Firewall (WAF) to access the AWS Instance Metadata Service. SSRF allows an attacker to bounce their web request to any IP of their choosing, and it's a well-known vulnerability 

The breach resulted in the exposure of personal information for approximately 100 million individuals in the United States and 6 million in Canada, including names, addresses, credit scores, and Social Security numbers.

What makes this particularly concerning is that the WAF, a security tool designed to protect applications, became the attack vector itself. Had the WAF been properly configured or IMDSv2 been enforced, the attack would have been significantly harder to execute. The take away here is even resources that are meant to infrastructure can be an attack vector if improperly configured. 

Severity: low -> medium

7. Misconfigured Serverless Functions

Serverless functions won the hearts of many developers because of its ease of deployment, wide language support and lack of servers to manage. This creates the illusion that serverless functions are secure by default. 

In reality serverless functions create a unique opportunity for attackers to exploit overly permissive Identity and access management roles and operate mostly undetected.

For example, an attacker could exploit a Lambda function with an overly permissive s3:* IAM policy to exfiltrate sensitive data from every S3 bucket in your account, all while the function appears to be performing its legitimate duties. 

Severity: low -> medium (depending on the serverless function’s IAM polices) 

How to Get Visibility of Cloud Security Vulnerabilities

Among modern cloud security platforms, Aikido security emerges as the most complete and developer-friendly option. It gives teams full visibility across their cloud from misconfigurations to vulnerable VMs, container images, Kubernetes workloads, and IaC all in a single unified view with zero noise or duplication.

Aikido cloud

Aikido combines agentless onboarding, VM scanning, CSPM, Kubernetes and container image scanning, IaC controls, and even AI Autofix for container images. Teams can start with cloud posture management and expand into code, container, or API security as they grow, without adopting multiple tools.

Whether you’re securing a lean environment or managing thousands of resources, Aikido helps you focus on the risks that matter most, reduce your attack surface quickly, and avoid tool sprawl entirely, all from one platform built for both security and engineering teams.

Conclusion 

Cloud security is not just about patching vulnerabilities, it’s about gaining complete visibility across your infrastructure, code, and dependencies, and acting on the risks that matter most.

With Aikido, teams can unify cloud monitoring, code scanning, and supply chain security into a single platform, prioritize threats based on real risk, and take proactive measures before attackers strike.

If you’re ready to take the next step in securing your cloud environment, get started for free and see how simple, developer-friendly, and effective cloud security can be!

FAQ

How do misconfigurations contribute to cloud security vulnerabilities and how can they be prevented?

Cloud misconfigurations like open storage buckets, excessive permissions, or faulty network settings can expose sensitive data or systems to attackers. Prevention involves regularly auditing cloud environments, enforcing the principle of least privilege, using automated configuration management tools, and continuously monitoring for deviations. Platforms like Aikido Security help detect misconfigurations across multi-cloud environments.

How do insider threats affect cloud security, and how can they be mitigated

Insider threats, whether malicious or accidental, can compromise cloud security by leaking data, creating backdoors, or misusing access privileges. Mitigation strategies include implementing strict access controls, monitoring user activity, enforcing multi-factor authentication, and educating employees about security best practices. Advanced platforms such as  Aikido Security can monitor unusual user behavior to alert teams to potential insider risks.

Which tools and technologies effectively detect and address top cloud security vulnerabilities?

Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP),Cloud-Native Application Protection Platforms (CNAPP) , vulnerability scanners, and automated compliance tools help detect and fix vulnerabilities. AI-driven solutions can trace complex attack paths and prioritize threats. Aikido Security integrates these capabilities, providing real-time AI-assisted detection and remediation across code, dependencies, and cloud resources.

What role do insecure APIs play in cloud security, and how can they be secured?

Insecure APIs can expose sensitive data, allow unauthorized access, or serve as entry points for attacks. Best practices include strict authentication and authorization, input validation, rate limiting, encryption, and continuous monitoring. Incorporating API security within a broader security platform, such as Aikido Security, ensures APIs are continuously analyzed for vulnerabilities and malicious activity.

Continue reading:
Top 9  Docker Container Security Vulnerabilities    
Top 10 Web Application Security Vulnerabilities Every Team  Should Know    
Top 9 Kubernetes Security Vulnerabilities and Misconfigurations    
Top Code Security Vulnerabilities Found in Modern  Applications    
Top 10 Python Security Vulnerabilities Developers Should Avoid    
Top JavaScript Security Vulnerabilities in Modern Web Apps    
Top 9 Software Supply Chain Security Vulnerabilities Explained