The very tools designed to teach cybersecurity best practices are now serving as an unlocked side door for malicious actors to infiltrate the cloud environments of the world’s largest companies. A recently published investigation has uncovered a deeply ironic and widespread security flaw in which deliberately vulnerable training applications, intended for educational purposes, are being left exposed on the public internet. This oversight transforms these learning aids into direct entry points, allowing attackers to breach the cloud infrastructure of major corporations, including the very cybersecurity firms that develop security products. The research highlights a critical, yet largely ignored, attack vector that turns a company’s own training assets into a welcome mat for comprehensive cloud compromise.
The Hidden Threat of Educational Tools
At the heart of this issue are applications often referred to as “damn vulnerable,” such as Hackazon and OWASP Juice Shop. These tools are intentionally engineered with security flaws to provide developers and security professionals with a safe, sandboxed environment to practice identifying and exploiting common vulnerabilities. Their purpose is purely educational, allowing for hands-on learning without exposing any real systems to risk. When used correctly, they are an invaluable resource for building a more security-conscious workforce.
However, a systemic failure occurs when these educational sandboxes are mistakenly deployed in live production environments and exposed to the public internet. Instead of serving as isolated training grounds, they become active and unsecured entry points. Malicious actors, well aware of these applications and their documented vulnerabilities, can easily exploit them to gain an initial foothold. This research demonstrates that this is not a theoretical risk but an active threat, providing a direct and often privileged pathway into the sensitive cloud networks of global organizations.
An Accidental Discovery Exposes a Systemic Flaw
The investigation that uncovered this systemic problem originated from a single, almost accidental finding. During a routine cloud security posture assessment for a client, a researcher encountered an unfamiliar and seemingly broken web application. Upon closer inspection, it was identified as Hackazon, a well-known vulnerable training platform. The critical distinction, however, was its location: it was not running in an isolated test environment but was live on an Amazon Web Services (AWS) instance within the client’s production network.
With the application’s vulnerabilities being public knowledge, exploiting it was a straightforward process. The researcher leveraged a documented insecure file upload flaw to achieve remote code execution on the server. This initial breach provided access to the underlying cloud instance, from which the researcher could query the EC2 metadata service to retrieve attached credentials. The situation escalated dramatically when the associated cloud identity role was found to possess “AdministratorAccess” permissions. In a matter of minutes, a seemingly harmless training app had provided complete administrative control over the client’s entire AWS environment, exposing all of its cloud resources to potential compromise.
This single incident was the catalyst for a much broader inquiry. The ease with which a complete cloud takeover was achieved raised a critical question: was this an isolated mistake, or did it represent a widespread, overlooked security flaw? The discovery prompted a dedicated research effort to scan the public internet and determine just how many other organizations were making the same critical error, effectively leaving a backdoor to their cloud infrastructure wide open.
Research Methodology, Findings, and Implications
Methodology
To gauge the extent of the problem, researchers employed open-source scanning tools to scour the public internet for well-known “damn vulnerable” applications. The search specifically targeted popular training platforms, including Hackazon, OWASP Juice Shop, Damn Vulnerable Web Application (DVWA), and Buggy Web Application (bWAPP). This initial, broad sweep identified more than 10,000 potential instances of these applications accessible online.
The extensive list of potential targets was then methodically filtered to isolate only active and verified applications. This process narrowed the dataset to 1,926 running instances on 1,626 unique servers. For the purposes of the study, the analysis focused specifically on the 974 applications that were deployed on the three largest cloud service providers: Amazon Web Services, Google Cloud, and Microsoft Azure. This focused approach allowed for a deeper investigation into how these misconfigurations directly impact corporate cloud security.
Findings
The investigation into the cloud-hosted applications yielded alarming results. Of the 974 training apps analyzed, 165 were found to have cloud identity roles attached, directly integrating them with the cloud provider’s permission system. More disturbingly, a startling 109 of these roles were over-permissioned, granting excessive privileges that create a clear path for attackers to perform lateral movement and escalate their access within the victim’s cloud environment.
The victims of these misconfigurations were not small businesses with limited resources but rather global enterprises, including several Fortune 500 companies. Most ironically, some of the most prominent offenders were cybersecurity industry giants, such as Palo Alto Networks, F5, and Cloudflare. Further analysis also uncovered clear evidence of active exploitation. A review of the exposed DVWA servers revealed that 20% showed signs of a prior compromise, with the most common payload being the XMRig cryptominer, indicating that malicious actors are already capitalizing on this attack vector.
Implications
These findings carry significant implications for corporate security, demonstrating that an organization’s own educational tools can become a critical liability. What is intended as a resource for defense is being transformed into an attack surface, turning training platforms into a convenient backdoor for intruders. The fact that cybersecurity vendors are among the most frequent offenders points to a profound disconnect between the security guidance they provide to customers and their own internal security practices.
Moreover, the prevalence of cryptominers on these compromised systems confirms that this vulnerability is not just theoretical but is being actively and widely exploited in the wild. While cryptomining represents a relatively low-impact use of such high-level access, it proves that attackers have already breached these networks. This suggests that it may only be a matter of time before more sophisticated actors leverage this same access for more devastating purposes, such as data exfiltration, espionage, or ransomware deployment.
Reflection and Future Directions
Reflection
The scope of this research was inherently limited by its timeframe, as vulnerable training environments are often temporary and ephemeral. Companies frequently deploy and decommission these applications, meaning the number of exposed instances is in constant flux. Consequently, the figures presented in the report likely represent only a snapshot of a much larger, ongoing problem. The study also deliberately excluded hundreds of vulnerable servers found on smaller or self-hosted platforms, which carry identical risks but fell outside the research’s focus on major cloud providers.
A significant challenge encountered during the research was the responsible disclosure process. While many organizations were receptive and acted quickly to remediate the issue, others were reluctant to acknowledge the security lapse. This resistance not only complicated the disclosure efforts but also highlighted a cultural barrier within some organizations when confronted with evidence of a security failure originating from their own internal teams.
Future Directions
This study has illuminated a critical attack vector, yet it also raises several important questions that warrant further exploration. A key unanswered query is why malicious actors have, to date, predominantly used this high-level access for relatively low-stakes activities like cryptomining. Understanding the motivations and technical capabilities of the threat actors currently exploiting this flaw is crucial for predicting how this attack vector might evolve.
Furthermore, future research should investigate the root causes of these misconfigurations. Deeper analysis is needed to understand the organizational breakdowns and process failures that allow these vulnerable applications to be repeatedly exposed, especially within security-conscious companies that should know better. Identifying whether these incidents stem from a lack of awareness, inadequate tooling, or gaps in policy could lead to more effective and lasting solutions.
A Call to Action for Cloud Security
This investigation served as a critical wake-up call, proving that even tools with benign intentions can create catastrophic security breaches if improperly managed. The systemic exposure of these “damn vulnerable” applications constitutes a significant and actively exploited backdoor into corporate clouds across a wide range of industries. The research underscored the urgent need for organizations to implement comprehensive auditing of all publicly exposed assets, regardless of their perceived purpose. It also highlighted the necessity of enforcing strict sandboxing for all training environments and rigorously applying the principle of least privilege to every single component within a cloud infrastructure.
