Kubernetes Flaws Let Hackers Jump From Containers to Cloud Accounts

Hackers are increasingly abusing Kubernetes misconfigurations to jump from containers into high‑value cloud accounts, turning a single compromised pod into full cloud‑level access.

This trend is accelerating rapidly, with Kubernetes‑related identity abuse and token-theft operations growing sharply across enterprise environments.

Kubernetes now underpins many large‑scale applications, making it a prime target for attackers who want to reach backend cloud systems.

Public‑facing services exposed through ingress controllers or load balancers give threat actors an initial path to exploit application‑layer bugs and gain remote code execution inside containers.

The Unit 42 Cloud Security Assessment is an evaluation service that reviews cloud infrastructure to identify misconfigurations and security gaps.

Once inside a pod, attackers take advantage of weak RBAC rules, overprivileged service accounts, and missing network policies to explore the cluster and reach connected cloud services.

Stolen Tokens in a Crypto Exchange

In one 2025 incident at a cryptocurrency platform, attackers first compromised a developer’s workstation and used the victim’s cloud session to deploy a malicious pod into a production Kubernetes cluster.

Cryptocurrency incident flow with Kubernetes compromise (Source : Unit 42).
Cryptocurrency incident flow with Kubernetes compromise (Source : Unit 42).

The pod was built to expose its mounted service account token, which turned out to be a powerful CI/CD management identity with broad cluster permissions.

Using this token, the attacker authenticated directly to the Kubernetes API, listed secrets across namespaces and dropped a backdoor into production workloads to keep long‑term access.

From there, they pivoted into cloud‑hosted backend systems, collected more credentials and eventually reached the exchange’s financial infrastructure, enabling theft of digital assets.

React2Shell (CVE‑2025‑55182)

The React2Shell vulnerability access, CVE‑2025‑55182, is a critical bug in React Server Components’ Flight protocol that allows unauthenticated remote code execution through crafted HTTP requests.

Exfiltration from an intrusion we observed during this event (Source : Unit 42).
Exfiltration from an intrusion we observed during this event (Source : Unit 42).

Within days of disclosure in December 2025, threat actors used this flaw to execute commands inside Kubernetes‑hosted application containers behind ingress controllers and cloud load balancers.

Multiple authorization contexts, issue raw HTTP requests, perform network scanning and DNS enumeration and execute shell or filesystem commands.

Sample Peirates menu (Source : Unit 42).
Sample Peirates menu (Source : Unit 42).

Once they had code execution, attackers enumerated the pod environment, read mounted service account tokens and called the Kubernetes API to test what those identities could do.

In several environments, they also pulled cloud credentials from environment variables or metadata services, then moved into the underlying cloud accounts to deploy cryptominers, install backdoors and steal database passwords.

Common Attack Pattern

Both cases show the same repeatable pattern. First, attackers exploit a vulnerability or misconfiguration (MITRE ATT&CK T1190, exploit public‑facing application) to get remote code execution in a container.

Next, they steal Kubernetes identities, usually service account tokens mounted at predictable paths, matching technique T1528 (steal application access token).

Finally, they use these stolen identities and any discovered cloud credentials to escalate privileges across clusters and cloud services, performing lateral movement and data access outside the original pod.

Cortex XQL queries give defenders the ability to drill into Kubernetes telemetry and expose subtle indicators of malicious activity within containerized environments.

Peirates service account token access, detected by Cortex XDR (Source : Unit 42).
Peirates service account token access, detected by Cortex XDR (Source : Unit 42).

Defending against these threats requires more than just patching containers; it demands identity‑aware controls and strong visibility.

Security teams should enforce strict RBAC and Pod Security Standards so workloads run with minimal privileges, and replace long‑lived tokens with short‑lived, projected service account tokens to limit the impact of theft.

Enabling Kubernetes audit logs and integrating them with cloud telemetry helps detect unusual API calls, privilege changes and suspicious pod deployments early in the intrusion.

Continuous runtime monitoring is also critical, as it can flag unexpected shells, outbound exfiltration commands and cryptomining behavior inside containers, allowing defenders to kill compromised pods before attackers reach the cloud control plane.

Related Articles

Back to top button