In cloud environments, every service, integration and configuration choice can introduce its own set of risks. As cloud adoption increases, so does the attack surface.
In this post, we will highlight seven cloud security vulnerabilities that teams face today. We’ll break down how each one works, the impact, and what you can do to mitigate or prevent it entirely.
Top 7 cloud security vulnerabilities at a glance:
- IMDS Vulnerability
- Kubernetes Vulnerabilities
- Weak Network Segmentation
- FluentBit Vulnerabilities
- Container image vulnerabilities
- Misconfigured firewalls
- Misconfigured serverless Functions
What are Cloud Security Vulnerabilities?
Cloud security vulnerabilities are weaknesses or misconfigurations in your cloud environment that attackers can exploit to compromise the underlying infrastructure your applications run on or any other part of your cloud setup.
Cloud security evolved as a response to the shift from on-premise deployments to cloud-native environments. In the past, every company had its own unique deployment pattern, which meant not all attack vectors applied to everyone. That’s no longer the case.
The cloud creates a level playing field. Teams use similar services, similar defaults, and similar deployment patterns. This means many organizations end up making the same mistakes. For example, companies frequently leak sensitive information through misconfigured object storage, and attackers have learned to spot this across multiple targets.
Understanding which services and configurations can become attack vectors starts with assessing your own infrastructure and how each component is exposed.
Common Reasons Cloud Security Vulnerabilities Happen
The following are a few reasons why we keep having recurring events of cloud security vulnerabilities:
- Developer Velocity: Teams are pushed to ship quickly, and speed often wins over security. Using the “latest” version of a container image or package is fast, but in a world of increasing supply chain attacks, “latest” can easily be an infected or compromised version.
- Lack of Guardrails: Moving fast shouldn’t create security gaps, but without proper controls in place, teams unintentionally introduce risks into the environment.
- Unintegrated Security Tools: Developers may have tools for image scanning or static analysis, but these tools are rarely part of a repeatable, automated workflow. This makes security inconsistent and easy to skip.
- Unclear Ownership: Security is still treated as a checkbox or something a separate team handles. With blurred responsibilities and no clear understanding of what “good security” looks like especially around IAM, vulnerabilities slip through.
How Attackers Exploit Cloud Security Vulnerabilities
As you will see shortly attackers will often leverage a legitimate service to gain a foothold on your infrastructure, this could be through a public S3 bucket with write access or a public endpoint and subsequently pivot by escalating privileges by abusing IAM roles or misconfigured resources.
For an attacker is to leverage resources least likely to arouse suspicions and use this to exfiltrate as much data as they can. We go into more detail in the sections below.
The Top 7 Cloud Security Vulnerabilities
With an understanding of what cloud security vulnerabilities are, here are the top seven cloud security vulnerabilities:
1. IMDS Vulnerability
Instance Metadata Service(IMDS) is a service that runs on every cloud provider which provides a compute service that allows temporary credentials to be used by applications running on cloud compute. This enables services to securely access other cloud services without needing to hardcode credentials on the machine.
As you might expect, in recent times this has been abused. An example of such is CVE-2025-51591, which affected systems running Pandoc,a document conversion utility.
The attacker submitted crafted HTML documents containing <iframe> elements whose src attributes targeted the AWS IMDS endpoint at 169.254.169.254. The objective was to render and exfiltrate the content of sensitive paths, specifically /latest/meta-data/iam/info and /latest/meta-data/iam.
The vulnerability in panic has since been patched. However, the attack was neutralized by the mandatory use of IMDSv2, which invalidates stateless GET requests, such as those initiated by an <iframe>. If the application were running in an environment still dependent on the IMDSv1 protocol, this attack vector would likely have resulted in credential compromise.
While Pandoc is a specific exploitation of a legitimate service, it's important to be watchful of how your applications interact with the host,since Pandoc is a Linux utility that had to be installed on the instance, this highlights how even seemingly benign tools can become attack vectors when they interact with sensitive cloud services.
Severity: Medium → High
2. Kubernetes Vulnerabilities
Disclosed via the Kubernetes bug bounty program, CVE-2020-8559 is a vulnerability that abuses the default service account token to enable privilege escalation within Kubernetes clusters.
Successful exploitation of this vulnerability could lead to privilege escalation from a compromised node to cluster-level access. If multiple clusters share the same certificate authority trusted by the client and authentication credentials, an attacker could potentially redirect the client to another cluster, leading to a full cluster compromise.
If you have ever run Kubernetes in production, you would understand why this is an issue. Cluster upgrades are rarely as simple as clicking upgrade and calling it a day, when you have set processes in place, it is hard to break them. CVE-2020-8559 required users to upgrade the kube-apiserver to patched versions: v1.18.6, v1.17.9, or v1.16.13.
When a full cluster takeover occurs, it is not hard to see how compromised nodes can be abused in conjunction with IMDS to pivot further into your cloud environment, accessing credentials and lateral moving to other services.
Severity: High → Critical
3. Weak Network Segmentation
Not every attack is sophisticated; sometimes failure to adhere to the basics is how many organizations end up in the news, and an example of such is segmenting your networks.
While network segmentation isn't cloud-specific, cloud complexity makes proper segmentation far harder and more impactful when done wrong. Cloud sprawl makes segmentation failures extremely common.
For small teams with one or two services on a few VMs, it might be overkill, but for more mature teams running multiple services across availability zones or even multi-cloud, having a flat structure where every service is on the same network with little to no security policies is a recipe for disaster.
The 2013 Target breach is a textbook example of what happens when networks aren't properly segmented. Attackers initially compromised a third-party HVAC vendor with access to Target's network, then moved laterally across the flat network architecture to reach the payment card systems, ultimately stealing 40 million credit card numbers and 70 million customer records. Proper network segmentation would have contained the data breach to the HVAC systems, preventing access to sensitive payment infrastructure, all while still meeting compliance requirements.
Leveraging Cloud Security Posture Management (CSPM) tools will enable you to quickly understand the layout of your cloud environment and figure out what portions of your network require a second look at your cloud architecture to prevent similar lateral movement attacks. This all ties into the concept of zero-trust security as the new default for your cloud architecture, which can help in your compliance endeavours.
Severity: Medium -> High
4. FluentBit Vulnerabilities
While this is a new set of vulnerabilities, Fluent Bit has been a core component of the cloud-native ecosystem for a long time, providing a lightweight agent for shipping cloud logs and metrics to remote backends. This is critical for microservices that require centralized logging or large-scale log backups.
In a series of vulnerabilities disclosed in early 2025, CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, and CVE-2025-12969, attackers can exploit path traversal flaws, buffer overflows, tag spoofing, and authentication bypasses to execute arbitrary code, tamper with logs, and inject malicious telemetry. These vulnerabilities affect versions 4.1.x < 4.1.1 and 4.0.x < 4.0.12.
In the worst-case scenario, these flaws can lead to full cloud environment compromise, especially when Fluent Bit runs with elevated privileges or has access to sensitive credentials.
The authentication bypass (CVE-2025-12969) is particularly concerning for configurations using Security.Users without a Shared_Key, which can disable authentication entirely. This allows remote attackers to hide malicious activity or exfiltrate logs while operators believe their systems are secure.
CVE-2025-12972 is also critical because it allows full remote access due to unsanitized tag values being used to generate output filenames, enabling attackers to write files to disk.
Much like the SSH vulnerability, Fluent Bit is typically deployed across a fleet of instances in cloud environments. For this reason, it’s essential to leverage a tool that provides full visibility into your instances and helps prioritize which ones to patch first.
Severity: High ->Critical
5. Container Image Vulnerabilities
Container images could be an entire article, which we did, check that out here. Over the years, container images have seen mass adoption thanks to Docker and the broader cloud-native ecosystem. This popularity also makes them an attractive target for attackers, as seen with Fluent Bit, which was pulled 4.7 million times in a single week of November alone.
A compromise or critical vulnerability, such as CVE-2025-12972, could spell disaster for many organizations.
Managing multiple container images at scale is challenging. Teams often rely on different versions of the same image, and not all security warnings are actionable. Container image monitoring is therefore a continuous process, not a one-off task.
Here at Aikido we understand that keeping container images isn’t as simple as “just update.” Anyone who’s tried it in production understands how far from easy it is. Simply bumping to the latest image can shatter your build, break runtime dependencies, and introduce subtle bugs that only appear in production. Which is why we have teamed up with folks at Root.io to bring you Autofix which gives you the ability to upgrade your base image in one click,
Severity: Medium -> High
6. Misconfigured firewalls
In 2019, Capital One experienced a significant cloud security breach in history, affecting over 100 million customers. The attack was an expensive example of how a single misconfiguration can snowball into a full-scale data breach.
The threat actor exploited a Server-Side Request Forgery (SSRF) vulnerability in Capital One's Web Application Firewall (WAF) to access the AWS Instance Metadata Service. SSRF allows an attacker to bounce their web request to any IP of their choosing, and it's a well-known vulnerability
The breach resulted in the exposure of personal information for approximately 100 million individuals in the United States and 6 million in Canada, including names, addresses, credit scores, and Social Security numbers.
What makes this particularly concerning is that the WAF, a security tool designed to protect applications, became the attack vector itself. Had the WAF been properly configured or IMDSv2 been enforced, the attack would have been significantly harder to execute. The take away here is even resources that are meant to infrastructure can be an attack vector if improperly configured.
Severity: low -> medium
7. Misconfigured Serverless Functions
Serverless functions won the hearts of many developers because of its ease of deployment, wide language support and lack of servers to manage. This creates the illusion that serverless functions are secure by default.
In reality serverless functions create a unique opportunity for attackers to exploit overly permissive Identity and access management roles and operate mostly undetected.
For example, an attacker could exploit a Lambda function with an overly permissive s3:* IAM policy to exfiltrate sensitive data from every S3 bucket in your account, all while the function appears to be performing its legitimate duties.
Severity: low -> medium (depending on the serverless function’s IAM polices)
How to Get Visibility of Cloud Security Vulnerabilities
Among modern cloud security platforms, Aikido security emerges as the most complete and developer-friendly option. It gives teams full visibility across their cloud from misconfigurations to vulnerable VMs, container images, Kubernetes workloads, and IaC all in a single unified view with zero noise or duplication.
Aikido combines agentless onboarding, VM scanning, CSPM, Kubernetes and container image scanning, IaC controls, and even AI Autofix for container images. Teams can start with cloud posture management and expand into code, container, or API security as they grow, without adopting multiple tools.
Whether you’re securing a lean environment or managing thousands of resources, Aikido helps you focus on the risks that matter most, reduce your attack surface quickly, and avoid tool sprawl entirely, all from one platform built for both security and engineering teams.
Conclusion
Cloud security is not just about patching vulnerabilities, it’s about gaining complete visibility across your infrastructure, code, and dependencies, and acting on the risks that matter most.
With Aikido, teams can unify cloud monitoring, code scanning, and supply chain security into a single platform, prioritize threats based on real risk, and take proactive measures before attackers strike.
If you’re ready to take the next step in securing your cloud environment, get started for free and see how simple, developer-friendly, and effective cloud security can be!
FAQ
How do misconfigurations contribute to cloud security vulnerabilities and how can they be prevented?
Cloud misconfigurations like open storage buckets, excessive permissions, or faulty network settings can expose sensitive data or systems to attackers. Prevention involves regularly auditing cloud environments, enforcing the principle of least privilege, using automated configuration management tools, and continuously monitoring for deviations. Platforms like Aikido Security help detect misconfigurations across multi-cloud environments.
How do insider threats affect cloud security, and how can they be mitigated
Insider threats, whether malicious or accidental, can compromise cloud security by leaking data, creating backdoors, or misusing access privileges. Mitigation strategies include implementing strict access controls, monitoring user activity, enforcing multi-factor authentication, and educating employees about security best practices. Advanced platforms such as Aikido Security can monitor unusual user behavior to alert teams to potential insider risks.
Which tools and technologies effectively detect and address top cloud security vulnerabilities?
Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP),Cloud-Native Application Protection Platforms (CNAPP) , vulnerability scanners, and automated compliance tools help detect and fix vulnerabilities. AI-driven solutions can trace complex attack paths and prioritize threats. Aikido Security integrates these capabilities, providing real-time AI-assisted detection and remediation across code, dependencies, and cloud resources.
What role do insecure APIs play in cloud security, and how can they be secured?
Insecure APIs can expose sensitive data, allow unauthorized access, or serve as entry points for attacks. Best practices include strict authentication and authorization, input validation, rate limiting, encryption, and continuous monitoring. Incorporating API security within a broader security platform, such as Aikido Security, ensures APIs are continuously analyzed for vulnerabilities and malicious activity.
You might also like:
Secure your software now
.avif)
