- Security researchers found nearly 2,000 publicly exposed, intentionally vulnerable training apps in cloud environments, with 60% hosted on customer-managed infrastructure.
- Approximately 20% of these exposed instances contained artifacts from active exploitation, including crypto-mining activity and webshells.
- The pattern affected major organizations, including Fortune 500 companies and cybersecurity vendors like Palo Alto, F5, and Cloudflare, creating a foothold for broader cloud access.
- Exploitation leveraged default credentials and known weaknesses, not advanced techniques, turning demo tools into significant security risks.
“Intentionally vulnerable training applications are widely used for security education, internal testing, and product demonstrations.” However, new research reveals these demo tools are often dangerously misconfigured in live cloud environments. A recent Pentera Labs research investigation identified a recurring and risky deployment pattern across major cloud platforms. Consequently, applications like OWASP Juice Shop or DVWA were frequently found exposed to the public internet.
The research verified nearly 2,000 live, exposed instances, with close to 60% hosted on active customer infrastructure on AWS, Azure, or GCP. These apps were often connected to cloud identities with overly permissive roles. Meanwhile, attackers were not just probing these systems but actively compromising them. Evidence showed roughly 20% of instances contained malicious artifacts like crypto-mining software.
This exploitation provides attackers an initial foothold far beyond the vulnerable application itself. The scope of impact extended to environments associated with prominent Fortune 500 organizations and leading cybersecurity firms. Ultimately, labeling an environment as “training” does not reduce its risk when it’s publicly accessible. The underlying issue stems from excluding these temporary assets from standard security monitoring and lifecycle management.
The presence of active crypto-mining and persistence tooling demonstrates real-world abuse is already occurring at scale. For more details on the methodology and findings, refer to the full research blog or a related live webinar.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
