Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
🔍 Highlights
Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining remote code execution. These jobs download and run the XMRig miner from public GitHub releases, bypassing traditional IOC-based detection. Gitea instances are compromised through a mix of outdated versions with known RCEs (e.g., CVE-2020-14144, unpatched 1.4.0 release), weak default settings, and insecure post-install configurations. In Docker environments, attackers exploit externally exposed Docker APIs (e.g., tcp://0.0.0.0:2375) to spin up containers running miners or escalate privileges by mounting host filesystems. Similarly, unprotected Consul instances are abused via the health check registration feature, which supports bash commands, enabling attackers to install and execute mining software remotely. The actor avoids traditional payload delivery infrastructure, making detection challenging and clustering of campaigns difficult.
Based on Wiz data, 25% of all cloud environments have at least one of the above-mentioned technologies, with HashiCorp Consul being the most popular, running in over 20% of environments. This statistic excludes Docker, which exists in 80% percent of cloud environments. Of those environments using these DevOps tools, 5% expose them directly to the Internet, and among those exposed deployments, 30% are misconfigured.
🐞 High Profile Vulnerabilities
Critical RCE Vulnerability in SugarCRM
A critical PHP object injection vulnerability (CVE‑2025‑25034) has been identified in SugarCRM. It stems from improper sanitization of serialized PHP input in SugarRestSerialize.php, specifically the rest_data parameter, allowing unauthenticated attackers to execute arbitrary code.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE‑2025‑25034.
CitrixBleed 2: Critical Vulnerabilities in NetScaler ADC
Two critical vulnerabilities (CVE-2025-5349 and CVE-2025-5777) have been disclosed in NetScaler ADC and NetScaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Customers are advised to update to the latest fixed versions.
According to Wiz data, 5% of cloud environments have resources vulnerable to CVE-2025-5349 and CVE-2025-5777.
Pre-Auth RCE Vulnerability Chain in Sitecore Experience Platform
Researchers disclosed a critical pre-authentication remote code execution (RCE) chain affecting Sitecore Experience Platform (XP), stemming from weak authentication practices and insecure file upload handling. Exploiting a set of three vulnerabilities—CVE-2025-34509 (hardcoded credentials), CVE-2025-34510 (ZIP Slip via UploadPage2), and CVE-2025-34511 (PowerShell extension file upload)—an attacker can gain unauthenticated access and execute arbitrary code on affected instances.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to these vulnerabilities.
Critical Remote Authentication Bypass Vulnerability in Teleport
A critical vulnerability in Teleport, CVE-2025-49825, allows remote attackers to bypass authentication under certain conditions. The flaw, currently under embargo until June 30, 2025, does not impact Teleport’s cloud infrastructure or CI/CD systems but requires immediate attention for self-managed deployments.
According to Wiz data, 7% of cloud environments have publicly exposed resources vulnerable to CVE-2025-49825.
🔒 Security Incidents & Campaigns
Langflow Vulnerability Exploited to Deliver Flodrix Botnet
An actively exploited critical vulnerability in Langflow (CVE-2025-3248, CVSS 9.8) is exploited by remote unauthenticated attackers to deploy the Flodrix botnet. Attackers are leveraging this flaw to gain full system access, install downloader scripts, and launch Flodrix, a DDoS-capable botnet with persistence, anti-forensics, and process termination features.
Open WebUI Misconfiguration Exploited for Cryptojacking
Researchers discovered an active exploitation of a misconfigured Open WebUI instance—a self-hosted interface for large language models (LLMs)—that was exposed to the internet with administrator access enabled and no authentication. A threat actor leveraged this misconfiguration to upload and execute a malicious, AI-assisted Python script that deployed cryptominers, infostealers, and stealth tools across Linux and Windows systems.
Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
Earth Lamia, a suspected China-nexus APT group active since at least 2023, has expanded its cyber espionage campaigns across Brazil, India, and Southeast Asia. The group targets multiple industries — shifting from financial services to logistics, online retail, and currently IT, government, and academic institutions. Earth Lamia exploits vulnerable web applications for initial access, develops custom malware to evade detection, and leverages advanced lateral movement and data exfiltration techniques.
🎧 Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen
Listen on Spotify and Apple Podcasts.