Research conducted by Microsoft has revealed that threat actors are actively targeting misconfigured Apache Pinot instances in Kubernetes environments, exploiting insecure default settings that can expose sensitive user data.
Apache Pinot, an open-source real-time analytics platform used by major companies such as Uber, Walmart, and LinkedIn, is designed for high-speed querying of large datasets. However, Microsoft researchers warn that its default Kubernetes deployment exposes critical components to the internet without authentication, creating a serious security vulnerability.
“The default installation exposes Apache Pinot’s main components to the internet by Kubernetes LoadBalancer services without providing any authentication mechanism by default,” Microsoft said. This misconfiguration allows unauthenticated attackers full access to the Pinot dashboard, potentially enabling data theft and unauthorized workload management.
Microsoft said that it has observed multiple cases where attackers exploited vulnerable Pinot instances in the wild. The company’s analysis found that some applications within Kubernetes clusters lacked authentication entirely or relied on weak, predefined credentials.
In a related discovery, Microsoft identified a vulnerability in Meshery, an open-source cloud infrastructure management platform, that could allow remote code execution. Exploiting the flaw requires access to the application's exposed external IP address. Microsoft recommends limiting Meshery’s access to internal networks as a preventative measure.
“By default, when installing Meshery on your Kuberentes cluster via the official Helm installation, the app’s interface is exposed via an external IP address,” Microsoft said. “We discovered that anyone who can access the external IP address can sign up with a new user and access the interface which provides extensive visibility into cluster activities and even enable the deployment of new pods.”
