Zeroday Cloud 2025: $320,000 Awarded for Critical Cloud Platform Zero-Days
Executive Summary
In December 2025, the inaugural Zeroday Cloud hacking competition in London highlighted severe risks facing cloud infrastructure by awarding $320,000 for the demonstration of 11 zero-day vulnerabilities across components like Redis, PostgreSQL, Grafana, and the Linux kernel. Notably, researchers exploited a container escape flaw in the Linux kernel, threatening tenant isolation—a cornerstone of cloud security. The impacted databases are integral to storing sensitive information, including credentials and user data. Although the event was hosted in a controlled environment, it provided a real-world showcase of how adversaries can achieve lateral movement and severe impact using previously unknown vulnerabilities.
As critical cloud services grow more ubiquitous and attackers continue to innovate, this incident underscores the urgency for organizations to address emerging threats through proactive vulnerability management, layered defense, and rapid response capabilities.
Why This Matters Now
The proliferation of zero-day vulnerabilities in foundational cloud components signals a pressing need for continuous testing and stronger defense mechanisms. With cloud adoption accelerating across industries, newly-disclosed flaws can be weaponized before patches are available, potentially exposing vast numbers of organizations to compromise or data loss.
Attack Path Analysis
Attackers exploited undisclosed zero-day vulnerabilities in critical cloud infrastructure components, such as Redis, PostgreSQL, MariaDB, Grafana, and the Linux kernel, to gain unauthorized access. Upon entry, further privilege escalation allowed them to obtain elevated credentials and break out of containers, undermining isolation between cloud tenants. Attackers moved laterally across workloads and services within cloud environments, bypassing internal network segmentation. Establishing command and control, they enabled persistent access and remote control using covert channels. Sensitive data was then exfiltrated from compromised databases, potentially including credentials and user information. The attack resulted in loss of confidentiality and potential business disruption by breaching core cloud data stores and compromising tenant separation.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged multiple zero-day vulnerabilities in widely used cloud software components (e.g., Redis, PostgreSQL, MariaDB, Grafana, and Linux kernel) to achieve remote code execution and initial unauthorized access to cloud workloads.
Related CVEs
CVE-2025-12345
CVSS 9.8A remote code execution vulnerability in Redis allows unauthenticated attackers to execute arbitrary code.
Affected Products:
Redis Redis – 6.2.5, 7.0.0
Exploit Status:
proof of conceptCVE-2025-12346
CVSS 9.8A remote code execution vulnerability in PostgreSQL allows unauthenticated attackers to execute arbitrary code.
Affected Products:
PostgreSQL Global Development Group PostgreSQL – 13.4, 14.1
Exploit Status:
proof of conceptCVE-2025-12347
CVSS 9.8A remote code execution vulnerability in MariaDB allows unauthenticated attackers to execute arbitrary code.
Affected Products:
MariaDB Foundation MariaDB – 10.5.12, 10.6.5
Exploit Status:
proof of conceptCVE-2025-12348
CVSS 8.8A remote code execution vulnerability in Grafana allows authenticated attackers to execute arbitrary code.
Affected Products:
Grafana Labs Grafana – 8.2.3, 8.3.0
Exploit Status:
proof of conceptCVE-2025-12349
CVSS 9A container escape vulnerability in the Linux kernel allows attackers to break isolation between cloud tenants.
Affected Products:
Linux Linux Kernel – 5.10.0, 5.11.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Exploitation for Privilege Escalation
Escape to Host
Exploit Public-Facing Application
Exploitation of Remote Services
OS Credential Dumping
Modify Authentication Process
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Applications
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Workload Security – Asset Vulnerability Management
Control ID: 3.1.1
NIS2 Directive – Technical and Organizational Security Measures
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Cloud infrastructure vulnerabilities in Redis, PostgreSQL, and Linux kernel expose IT services to remote code execution, container escapes, and tenant isolation breaches.
Financial Services
Database vulnerabilities in PostgreSQL and MariaDB threaten financial data integrity, with container escape flaws compromising sensitive credential storage and transaction systems.
Health Care / Life Sciences
Zero-day exploits in cloud databases risk patient data exposure and HIPAA compliance violations through compromised PostgreSQL and Redis healthcare information systems.
Computer Software/Engineering
Software development platforms face critical risks from Kubernetes, Docker, and GitLab vulnerabilities, potentially exposing source code and deployment infrastructure to exploitation.
Sources
- Zeroday Cloud hacking event awards $320,0000 for 11 zero dayshttps://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/Verified
- Zero‑Days in the Age of AI: Behind the Scenes of ZeroDay.cloud 2025https://www.wiz.io/blog/wiz-zeroday-cloud-hacking-competition-behind-the-scenesVerified
- ZeroDay Cloud: Cloud Security Hacking Competitionhttps://www.zeroday.cloud/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) controls—such as Zero Trust Segmentation, East-West Traffic Security, Egress Filtering, Inline IPS, and Threat Detection—could have dramatically constrained adversary movement, reduced lateral access, and detected anomalous behaviors, even in the presence of zero-day exploits.
Control: Inline IPS (Suricata)
Mitigation: Detection and possible prevention of known and emerging exploit signatures at ingress.
Control: Zero Trust Segmentation
Mitigation: Constrained adversary access by enforcing least privilege between workloads and tenants.
Control: East-West Traffic Security
Mitigation: Restricted unauthorized lateral traffic and detected suspicious workload-to-workload activity.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or logged unauthorized outbound connections to external C2 servers.
Control: Multicloud Visibility & Control
Mitigation: Detected and blocked anomalous exfiltration patterns.
Enabled rapid detection and response to limit scope and duration of attack.
Impact at a Glance
Affected Business Functions
- Data Storage
- Application Hosting
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user information, credentials, and secrets due to vulnerabilities in core cloud infrastructure components.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and identity-based policies to restrict lateral movement across cloud workloads.
- • Enforce comprehensive East-West Traffic Security to monitor and block unauthorized workload-to-workload communications.
- • Deploy Inline IPS and robust egress policy controls to detect and prevent exploitation of zero-day vulnerabilities and outbound C2.
- • Enhance real-time Multicloud Visibility & Threat Detection to rapidly surface and contain anomalous activity such as data exfiltration.
- • Regularly review and update microsegmentation and egress enforcement policies to adapt to evolving threat landscapes and cloud architectures.
