Crying Out Cloud Newsletter - April 2025

Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.

Here are our top picks of cloud security highlights!

Hype or no hype - RCE Vulnerability in Apache Tomcat Exploited in-the-Wild

CVE-2025-24813 is a remote code execution (RCE) vulnerability affecting Apache Tomcat. Under specific conditions, an attacker can upload a malicious session file via a partial PUT request and trigger its execution, potentially leading to full server compromise. The exploit requires several preconditions to be met, including specific server configurations and the presence of a deserialization-vulnerable library. While active exploitation has reportedly been observed in the wild, we estimate that in practice, the specifications for exploitation of this vulnerability mean that it should be treated as less severe than what was initially thought, and patching this isn’t as urgent as other recent vulnerabilities.

Learn more here →

🔍 Highlights

GitHub Action tj-actions/changed-files supply chain attack

The popular GitHub Action tj-actions/changed-files was compromised with a payload that attempts to exfiltrate secrets, impacting thousands of CI/CD pipelines. While GitHub have since blocked further exploitation, immediate remediation is still necessary to mitigate the risk of credential theft and CI pipeline compromise. Wiz Threat Research estimates with high confidence that the root cause of the tj-actions/changed-files compromise was itself a supply chain compromise, of reviewdog/action-setup.

Wiz Threat Research found that attackers modified the v1 tag of reviewdog/action-setup, which was then used by tj-actions/eslint-changed-files, likely leading to the compromise of a GitHub Personal Access Token (PAT) that enabled the attack on tj-actions/changed-files. Later research even showed that this was in fact a quadruple (!) supply chain attack, with the suspected goal of compromising Coinbase. The incident was assigned CVE-2025-30154 on March 19, 2025.
Learn more in our blog posts:

IngressNightmare: RCE Vulnerabilities in Ingress NGINX Controller for Kubernetes

Wiz Research has uncovered a set of vulnerabilities—dubbed IngressNightmare—affecting the admission controller component of the Ingress NGINX Controller for Kubernetes (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513 and CVE-2025-1974). When chained together, exploitation of these vulnerabilities can lead to full takeover of the Kubernetes cluster, including unauthorized access to all Kubernetes secrets across namespaces. We recommend following the guidance in our blogpost to identify any vulnerable clusters in your environment, and updating to a patched version or implementing a workaround if any affected clusters are identified.

According to Wiz data, more than 48% of cloud environments have resources vulnerable to at least one of these vulnerabilities.

Learn more in our blog post here →

CPU_HU: Fileless Cryptominer Targeting Exposed PostgreSQL
Wiz Threat Research identified a malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers to deploy cryptominers. In observed attacks, the threat actor abused exposed PostgreSQL instances, configured with weak and guessable login credentials, to gain access and deploy stealthy malicious payloads. In order to evade detection by CWPP solutions that may rely solely on file hash reputation, the attacker takes measures such as deploying binaries with a unique hash per target and executing the miner payload filelessly, thereby minimizing forensic traces.

Learn more in our blog post here →

🐞 High Profile Vulnerabilities

VMware ESXi Vulnerabilities Exploited in-the-Wild

On March 4, 2025, Broadcom disclosed three zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion. These vulnerabilities — CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 — allow attackers with privileged access within a virtual machine (VM) to break out of the VM sandbox and potentially gain control over the hypervisor. All three vulnerabilities have been exploited in the wild, prompting their addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

According to Wiz data, less than 5% of cloud environments have resources vulnerable to either of these vulnerabilities.

Learn more here →

Critical Authentication Bypass Vulnerability in Next.js

A critical vulnerability, CVE-2025-29927, has been discovered in Next.js, one of the most widely adopted web frameworks. The flaw allows attackers to bypass authentication and other security mechanisms enforced via middleware by manipulating the x-middleware-subrequest header. It is recommended to upgrade to the patched versions as soon as possible, while prioritizing cases that have been validated as exploitable through unauthenticated scanning.

According to Wiz data, 54% of cloud environments have resources vulnerable to this vulnerability.

Learn more here →

🔒 Security incidents & campaigns

Malicious OAuth Apps Used in Campaign to Steal Credentials

Microsoft Threat Intelligence discovered that threat actors are actively deploying malicious Microsoft OAuth applications that impersonate Adobe Drive, Adobe Acrobat, and DocuSign to compromise Microsoft 365 accounts. These campaigns are highly targeted and leverage OAuth redirection mechanisms combined with brand impersonation techniques. Victims are tricked into granting seemingly low-risk permissions, allowing attackers to collect profile details and facilitate credential theft or malware distribution.

Learn more here →

Silk Typhoon Targeting IT and Cloud Applications

Microsoft Threat Intelligence has also identified an evolution in the tactics of Silk Typhoon, a Chinese state-sponsored espionage group, now increasingly focusing on compromising IT solutions, remote management tools, and cloud applications to gain initial access. By exploiting unpatched vulnerabilities in edge devices and abusing stolen credentials and API keys, Silk Typhoon infiltrates downstream customer environments, including cloud services. Their tradecraft involves exploiting zero-days, lateral movement from on-premises networks to cloud infrastructure, and abusing service principals and multi-tenant applications for data exfiltration.

Learn more here →

JavaGhost: Campaign Using Compromised AWS Infrastructure for Phishing

JavaGhost is a long running threat group that compromises AWS Infrastructure for use in phishing campaigns. The group uses exposed or compromised AWS credentials to gain initial access. Using these credentials, JavaGhost pivots to AWS console access by generating temporary credentials and a login URL. They then configure AWS SES and WorkMail as components of their phishing infrastructure. The group's TTPs demonstrate overlap with methods previously used by Scattered Spider. To date, JavaGhost has not been seen engaging in data theft or extortion.

Learn more here →

Oracle Cloud Potential Supply Chain Breach

On March 21, 2025, CloudSEK reported that a threat actor using the alias "rose87168" claimed to have exfiltrated over 6 million records from Oracle Cloud’s SSO and LDAP systems. According to CloudSEK’s assessment, the leaked data includes sensitive authentication materials such as JKS files, encrypted passwords, and key files. The actor is reportedly offering the data for sale and urging affected organizations to pay for its removal, and they have also provided proof that they were able to compromise certain servers operated by Oracle. These claims, if verified, could implicate over 140,000 Oracle Cloud tenants, but at the time of writing, Oracle has denied any breach, claiming that the published credentials are not for Oracle Cloud. As a precautionary measure, we recommend that Oracle Cloud customers rotate all SSO and LDAP credentials.

Learn more here →

🎧 Hold on to your headphones!

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen
Listen on

Spotify and Apple Podcasts.