An investigative breakdown of the most common CVEs in cloud infrastructure and how they enable modern breaches.
Introduction to Common CVEs in Cloud Infrastructure
Cloud breaches rarely begin with cinematic “zero-day” intrusions. They begin with something far more mundane: a few known cloud infrastructure vulnerabilities, cloud security flaws, unpatched or misconfigured in an environment assumed to be secure by default.
Across AWS, Azure, GCP, and hybrid stacks, a small set of recurring weaknesses accounts for a disproportionate share of real-world compromises. These flaws persist not because they are obscure, but because cloud environments are complex, fast-moving, and often governed by fragmented responsibility between developers, DevOps teams, and security functions.
For investigators, journalists, and analysts, understanding these recurring CVEs is essential. They explain how ransomware operators pivot into Kubernetes clusters, how data exfiltration occurs from object storage, and how “misconfiguration” frequently masks known exploitable defects.
This guide catalogues ten of the most commonly abused CVE classes, cloud security flaws and cloud infrastructure vulnerabilities, what they are, how they are exploited, and why they persist.
What is a CVE?
CVE stands for Common Vulnerabilities and Exposures, a dictionary of publicly known cybersecurity or cloud security flaws that provides a standardised name (CVE ID) for each vulnerability, helping security tools and organisations identify, track, and fix security risks more effectively across different systems and databases.
Key Aspects of CVE:
- Identification: Assigns a unique ID (e.g., CVE-2023-12345) to each specific cloud security flaws.
- Dictionary: Acts as a common reference, like a dictionary, for security vulnerabilities.
- Interoperability: Enables different security tools and databases to communicate about the same vulnerability.
- Maintenance: Maintained by the MITRE Corporation, a non-profit, and sponsored by the U.S. DHS.
- Purpose: Helps IT professionals prioritise and address vulnerabilities to secure systems better.
1. Log4Shell – CVE-2021-44228
Affected: Java-based services, cloud workloads, SaaS platforms
Impact: Remote Code Execution (RCE)
Log4Shell remains the archetype of cloud-scale failure. A single logging library embedded in thousands of services allowed arbitrary code execution via crafted log strings.
Why it matters in the cloud:
- Present in container images, serverless functions, and SaaS backends
- Difficult to inventory in microservice architectures
- Exploitable over HTTP, LDAP, and DNS
Years after disclosure, unpatched instances continue to surface in exposed APIs and internal services.
2. ProxyShell / ProxyNotShell – CVE-2021-34473, CVE-2021-34523
Affected: Microsoft Exchange (cloud-connected hybrid deployments)
Impact: RCE, mailbox access
Hybrid Exchange environments bridge on-prem and cloud identity. These vulnerabilities allowed attackers to pivot from exposed endpoints into the internal mail infrastructure.
Cloud relevance:
- Common in enterprise hybrid setups
- Used by ransomware operators for initial access
- Enables credential theft and lateral movement
These flaws blurred the boundary between “on-prem” and “cloud” compromise.
3. Spring4Shell – CVE-2022-22965
Affected: Spring Framework workloads in cloud apps
Impact: RCE
Spring4Shell demonstrated how application-layer flaws cascade in cloud-native environments:
- Exploitable in containerised microservices
- Common in Java-based SaaS platforms
- Often embedded in legacy images
Cloud teams frequently patch base images but overlook application-layer frameworks.
4. Kubernetes API Server Exposure – CVE-2018-1002105
Affected: Kubernetes control planes
Impact: Privilege escalation
Kubernetes misconfigurations often intersect with known CVEs:
- Exposed API servers
- Insecure RBAC policies
- Unpatched control-plane components
This class of vulnerabilities enables attackers to escape pods and control entire clusters effectively, compromising every workload in the environment.
5. Apache Struts – CVE-2017-5638
Affected: Legacy enterprise apps in cloud migrations
Impact: RCE
Struts vulnerabilities persist in cloud-lifted legacy systems:
- Monolithic apps moved into IaaS
- Forgotten web endpoints
- Long-lived AMIs
The cloud does not eliminate technical debt; it preserves it at scale.
6. OpenSSL Heartbleed – CVE-2014-0160
Affected: TLS implementations in services and appliances
Impact: Memory disclosure
Heartbleed-era vulnerabilities still surface in:
- Embedded appliances
- Legacy container images
- Custom-built AMIs
Cloud inventory opacity allows ancient cryptographic flaws to survive in production.
7. VMware vCenter – CVE-2021-21972
Affected: Virtualisation layers in private clouds
Impact: RCE
Private cloud and hybrid stacks rely heavily on VMware:
- Exposed management interfaces
- RCE against hypervisors
- Direct access to VM images
These flaws enable attackers to bypass guest OS defences entirely.
8. Atlassian Confluence – CVE-2022-26134
Affected: Knowledge bases, DevOps portals
Impact: RCE
Confluence often sits at the centre of engineering operations:
- Stores credentials
- Integrates CI/CD secrets
- Maps internal infrastructure
Cloud-hosted and self-hosted instances alike were compromised en masse.
9. MOVEit Transfer – CVE-2023-34362
Affected: Managed file transfer services
Impact: Data exfiltration
MOVEit exposed how third-party SaaS becomes a single point of failure:
- Mass breach via one vendor
- Exfiltration of regulated data
- Supply-chain amplification
Cloud centralisation multiplies blast radius.
10. Apache HTTP Server – CVE-2021-41773
Affected: Web frontends and APIs
Impact: Path traversal, RCE
Still common in:
- Container images
- Edge gateways
- API endpoints
Often embedded in “temporary” services that become permanent.
Why These CVEs Persist
These vulnerabilities survive because cloud environments suffer from:
- Asset invisibility (unknown services)
- Image sprawl (thousands of containers)
- Shared responsibility ambiguity
- Patch orchestration complexity
- Legacy lift-and-shift migrations
The cloud accelerates deployment but fragments accountability.
Investigative Implications
When reporting on a breach:
- Identify the CVE involved
- Determine disclosure date
- Compare with patch availability
- Assess exposure window
- Evaluate organisational response
Most “sophisticated attacks” are operational failures in patch management.
Conclusion
Cloud breaches are rarely caused by exotic exploits. They are caused by well-documented cloud security flaws repeated across thousands of cloud infrastructure vulnerabilities.
These ten vulnerabilities and their families form the backbone of modern compromise. They explain how attackers move from internet-facing services into internal workloads, from SaaS into regulated data, and from misconfiguration into full control.
The cloud did not eliminate insecurity. It industrialised it.
Sources & Bibliography
- CISA – Known Exploited Vulnerabilities Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog - NIST – National Vulnerability Database
https://nvd.nist.gov - Mandiant – Cloud Threat Landscape
https://www.mandiant.com/resources - Microsoft Security Response Centre
https://msrc.microsoft.com - Apache Security Advisories
https://httpd.apache.org/security - Kubernetes Security Advisories
https://kubernetes.io/docs/reference/issues-security/security-advisories - OWASP Cloud-Native Top 10
https://owasp.org/www-project-top-10-for-large-language-model-applications
For deeper context on Cybercrime, see our Cybercrime Daily Brief.
