Threat actors exploit flaws in MinIO storage system to commandeer servers

Threat actors exploit flaws in MinIO storage system to commandeer servers

Malicious actors are abusing two recently disclosed flaws in the MinIO Object Storage solution to breach object storage systems to achieve unauthorized code execution on impacted servers.

MinIO is a high-performance, distributed object storage system built for large-scale AI/ML, data lake and database workloads. It is software-defined and runs on any cloud or on-premises infrastructure.

According to a report from cybersecurity and incident response firm Security Joes, the attackers used a publicly available exploit chain to backdoor a MinIO instance. The exploit chain involves two vulnerabilities tracked as CVE-2023-28432 and CVE-2023-28434, the former of which is an information disclosure issue, while the latter is a privilege escalation flaw.

These vulnerabilities impact all MinIO versions that precede RELEASE.2023-03-20T20-16-18Z. Both bugs were disclosed and addressed by the vendor in March of this year.

During the analysis, the Security Joes researchers discovered a previously unreported exploit chain comprised of CVE-2023-28432 and CVE-2023-28434. Further investigaion revealed that said exploit code is available on the GitHub repository “evil_minio”.

In the observed attack chain, the two flaws were weaponized by the threat actor to obtain admin credentials and replace the MinIO client on the host with a modified version that provides backdoor access to the system.

“While the backdoor used by the threat actor during the intrusion leverages the exploitation of MinIO and does not necessitate an external PHP script for its execution, it's imperative to underscore the range of tools at the disposal of the threat actor,” the researchers said. “These tools can potentially be employed to compromise additional environments that may not necessarily have any direct link to MinIO. This observation accentuates the threat actor's versatility and emphasizes the need for a comprehensive security posture that remains vigilant against various vectors of attack.”


Back to the list

Latest Posts

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025