Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code execution within the SSH daemon—potentially with root privileges. However, despite the severity of this flaw, its relevance to cloud environments is minimal. The vulnerability primarily affects systems that rely on Erlang/OTP’s built-in SSH library, which is more common in operational technology (OT), IoT, and edge devices than in mainstream cloud infrastructure. Public exposure appears negligible, with fewer than 50 affected hosts discovered through Shodan, suggesting that the risk to cloud workloads is extremely low.
According to Wiz data, less than 5% of cloud environments have resources vulnerable to CVE-2025-32433.
Learn more here.
🐞 High Profile Vulnerabilities
Privilege Escalation Vulnerability in GCP Cloud Run
Researchers disclosed a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP), dubbed ImageRunner, that affected Cloud Run users. The vulnerability allowed attackers with limited IAM permissions to access and deploy private container images from Google Container Registry or Artifact Registry, potentially exposing sensitive data. Google has remediated the issue with a mandatory security update, no customer action required.
Learn more here.
Critical Deserialization Vulnerability in Apache Parquet
A critical vulnerability, CVE-2025-30065, has been identified in the parquet-avro module of Apache Parquet’s Java library and assigned a CVSS of 10.0. This flaw allows for deserialization of untrusted data, which could lead to remote code execution (RCE) if a specially crafted Parquet file is imported. While the CVSS rating is severe, it's important to emphasize: exploitation requires a malicious file to be processed, meaning most users are not at immediate risk unless they routinely handle untrusted data sources.
According to Wiz data, 28% of cloud environments have resources vulnerable to CVE-2025-30065.
Learn more here.
Privilege Escalation Vulnerability in Google Cloud Composer
Researchers disclosed a now-patched privilege escalation vulnerability in Google Cloud Composer, dubbed ConfusedComposer. The flaw allowed any identity with the composer.environments.update permission to gain access to the highly privileged default Cloud Build service account—potentially leading to full project takeover in GCP environments. No customer action required.
Learn more here.
Critical Commvault RCE Vulnerability
A critical RCE vulnerability has been identified in Commvault (CVE-2025-34028), allowing an unauthenticated attacker to upload a specially crafted compressed file which leads to code execution when decompressed by the target server. However, this vulnerability only affects a narrow version range of Commvault, thereby making exploitability less likely. Commvault customers using affected versions should patch urgently. Wiz is currently working on adding vulnerability detection; in the meantime customers can use the linked queries to identify publicly exposed instances of Commvault in their environment.
Learn more here.
🔒 Security Incidents & Campaigns
Atlas Lion Campaign Exploits Device Enrollment and MFA for Persistence
Atlas Lion, a financially motivated cybercrime group operating from Morocco, has been observed executing a new attack technique: enrolling attacker-controlled virtual machines (VMs) into target organizations’ domains using compromised user credentials. The group leverages social engineering, MFA manipulation, and cloud infrastructure knowledge to impersonate legitimate devices and users—ultimately aiming to access and abuse internal processes related to gift card issuance.
Learn more here.
Critical Ivanti Connect Secure Vulnerability Exploited in-the-Wild
Ivanti disclosed a critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier. The vulnerability is a stack-based buffer overflow that enables remote, unauthenticated attackers to achieve remote code execution. Active exploitation of this vulnerability has been observed in the wild, notably against ICS 9.X (end-of-life) and ICS 22.7R2.5.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to this vulnerability.
Learn more here.
Critical SAP Netweaver vulnerability exploited in the wild
A zero-day vulnerability (CVE-2025-31324) in SAP Visual Composer is being actively exploited in the wild, allowing unauthenticated attackers to upload arbitrary files and fully compromise systems. The CVSS 10.0 vulnerability affects SAP NetWeaver systems with Visual Composer enabled (but this component is disabled by default). SAP released an emergency patch on April 24, 2025. Organizations using Visual Composer are urged to patch immediately. Wiz is currently working on adding detection for this vulnerability.
Learn more here.
Critical Authentication Bypass Vulnerability in CrushFTP Exploited in-the-Wild
CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP's Managed File Transfer (MFT) software, allowing unauthenticated remote attackers to impersonate legitimate users and perform administrative actions. First exploited in the wild on March 30, 2025, the flaw enables full control over vulnerable servers and has been weaponized by threat actors to deploy persistent backdoors and remote access malware.
According to Wiz data, 1% of cloud environments have resources vulnerable to this vulnerability.
Learn more here.
Critical Craft CMS vulnerabilities exploited in the wild
Two critical zero-day vulnerabilities in Craft CMS, CVE-2024-58136 (CVSS 9.0) and CVE-2025-32432 (CVSS 10.0), are being actively exploited in the wild to gain unauthorized access and execute arbitrary code on vulnerable servers. The campaign chains an alternate path flaw in the Yii PHP framework (CVE-2024-58136) with a remote code execution bug in Craft CMS’s image transformation feature (CVE-2025-32432). Craft CMS has released patches in versions 3.9.15, 4.14.15, and 5.6.17 to address these issues. Customers should patch exposed instances as soon as possible.
Learn more here.
🎧 Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen
Listen on Spotify and Apple Podcasts.