Security researchers at Pentera Labs have discovered that thousands of intentionally vulnerable cloud training applications are being left publicly exposed on enterprise networks, leading to active exploitation by malicious actors. The research highlights a significant security gap where educational tools, designed to teach cybersecurity, are becoming gateways for attacks, including the deployment of cryptocurrency miners within the cloud environments of Fortune 500 companies and security vendors.
According to the report, Pentera Labs identified thousands of exposed training and demonstration applications, such as the OWASP Juice Shop, Damn Vulnerable Web Application (DVWA), and Hackazon. These instances were found running on enterprise-owned infrastructure across major cloud providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The firm claims that these applications, meant for controlled “lab” environments, are being left accessible from the public internet.The research states that approximately 20% of the discovered exposed environments showed direct evidence of ongoing abuse by attackers. This exploitation turns educational tools into active security threats within corporate networks, creating persistent footholds for further malicious activity.
Attackers who gain access to these vulnerable training apps are deploying a range of malicious tools. The primary form of abuse identified by Pentera Labs is the installation of crypto-miners, which hijack the enterprise’s cloud computing resources to generate cryptocurrency for the attacker. This practice, often called cryptojacking, can lead to significant, unexpected cloud service bills.
Beyond crypto-mining, researchers found evidence of webshells and obfuscated scripts being installed. These tools provide attackers with persistent remote access to the compromised server. The report also notes that these initial footholds create paths for lateral movement and privilege escalation, potentially allowing an attacker to move from the exposed training app into more sensitive parts of the corporate cloud environment.
The core issue stems from a misconfiguration of security training environments. These applications are vulnerable by design to provide a realistic, hands-on learning experience for developers and security professionals. The vulnerability itself is not the flaw, but rather the failure to properly isolate these “labs” from public-facing networks. When these training instances are deployed on production infrastructure without proper network segmentation or access controls, they become an open invitation for attackers scanning for easy targets.
The research from Pentera Labs does not publicly name the specific Fortune 500 organizations or security vendors found to have exposed training applications. Furthermore, the report does not quantify the total financial impact incurred by the affected companies due to the unauthorized crypto-mining activities or the potential cost of remediation.
To address these findings, Pentera Labs is hosting a live webinar on , featuring Senior Security Researcher Noam Yaffe. The session will detail the research methodology and demonstrate how attackers exploit these exposures. The company has also announced it will provide a free tool to help organizations identify and remediate this specific security gap.
In light of these findings, security teams are advised to conduct thorough inventories of their cloud assets to identify any active training or demonstration applications. It is recommended to verify that all such environments are properly isolated in sandboxed networks, inaccessible from the public internet. Organizations can also implement continuous monitoring and automated scanning to detect and alert on the deployment of known vulnerable training software outside of designated, secured lab environments.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
