Threat actors exploit flaws in MinIO storage system to commandeer servers

Threat actors exploit flaws in MinIO storage system to commandeer servers

Malicious actors are abusing two recently disclosed flaws in the MinIO Object Storage solution to breach object storage systems to achieve unauthorized code execution on impacted servers.

MinIO is a high-performance, distributed object storage system built for large-scale AI/ML, data lake and database workloads. It is software-defined and runs on any cloud or on-premises infrastructure.

According to a report from cybersecurity and incident response firm Security Joes, the attackers used a publicly available exploit chain to backdoor a MinIO instance. The exploit chain involves two vulnerabilities tracked as CVE-2023-28432 and CVE-2023-28434, the former of which is an information disclosure issue, while the latter is a privilege escalation flaw.

These vulnerabilities impact all MinIO versions that precede RELEASE.2023-03-20T20-16-18Z. Both bugs were disclosed and addressed by the vendor in March of this year.

During the analysis, the Security Joes researchers discovered a previously unreported exploit chain comprised of CVE-2023-28432 and CVE-2023-28434. Further investigaion revealed that said exploit code is available on the GitHub repository “evil_minio”.

In the observed attack chain, the two flaws were weaponized by the threat actor to obtain admin credentials and replace the MinIO client on the host with a modified version that provides backdoor access to the system.

“While the backdoor used by the threat actor during the intrusion leverages the exploitation of MinIO and does not necessitate an external PHP script for its execution, it's imperative to underscore the range of tools at the disposal of the threat actor,” the researchers said. “These tools can potentially be employed to compromise additional environments that may not necessarily have any direct link to MinIO. This observation accentuates the threat actor's versatility and emphasizes the need for a comprehensive security posture that remains vigilant against various vectors of attack.”


Back to the list

Latest Posts

Cyber Security Week in Review: April 25, 2025

Cyber Security Week in Review: April 25, 2025

In brief: A SAP NetWeaver zero-day bug exploited in the wild, DslogdRAT exploits a recent Ivanti flaw, and more.
25 April 2025
ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker is believed to be behind the custom backdoor dubbed ‘LAGTOY.’
24 April 2025
DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce introduced a distributed affiliate branding model.
23 April 2025