Top 11 cloud vulnerabilities and how to mitigate them

Mitigate these cloud vulnerabilities to improve security posture

More and more cloud data breaches and malicious attacks are due to threat actors exploiting common cloud vulnerabilities given how prevalent critical vulnerabilities are and the time it takes to remediate them.

The vulnerabilities discussed here are those that cause gaps in cloud security, which includes misconfigurations, poor identity controls, and common vulnerabilities and exposures (CVE).

So, it’s important to understand the common cloud vulnerabilities and risks that exist and a few steps you can take to mitigate or prevent them. Lastly, we offer some general best practices for reducing cloud vulnerabilities.

1. Misconfigurations

Misconfigurations are the bane of security practitioners everywhere. From publicly exposing storage or S3 buckets to improperly implementing firewall rules, misconfigurations are an unfortunately common cause of security incidents.

Among error-based data breaches, about 30% were misconfigurations, according to the 2025 Verizon Data Breach Investigations Report. This includes misconfigurations in software, hardware, and networks.

The causes of misconfigurations can usually be traced back to a few reasons, such as human error, inexperienced teams, and complex cloud infrastructure. Something as small as a mistype can lead to a data breach.

Common cloud misconfigurations include:

• Open public-facing storage or infrastructure: Business-critical data is too often stored in S3 buckets and other cloud storage accidentally, or without proper security measures, and then forgotten. ID verification firm Persona had its entire dashboard codebase exposed recently to the public.
• Open ICMP access: The Internet Control Message Protocol (ICMP) manages error reporting for IP networks, but attackers can use it as an attack vector for distributed denial-of-service (DDoS) attacks.
• Exposed Kubernetes clusters: This includes unrestricted access to TCP port 2379 used by etcd, which could allow attackers to read, copy, modify, or delete configuration data.
• Unrestricted outbound ports: Limiting outbound traffic is just as important as restricting inbound traffic. Attackers or insider threats can use open outbound ports for data exfiltration.
• Poorly managed secrets: Implementing encryption and strong passwords is great, but if they’re stored in Github repositories, in your HTML code, or in exposed cloud storage, you’re effectively giving attackers easy access to your data and systems.

How to mitigate cloud misconfigurations

To reduce misconfigurations and identify them before attackers can exploit them, start by implementing monitoring and logging. Stay on top of cloud monitoring for visibility into misconfigurations.

Monitoring can help your security teams find old or unused services, ephemeral workloads, or cloud data storage. Once identified, you should spin down old containers and other unused workloads to reduce attack vectors.

Alongside monitoring, perform regular security audits to identify misconfigurations or unused storage, accounts, and other resources. Implement security policies for how to store cloud data, scale up workloads, and require the use of proper access best practices.

To reduce the workload, adopt automation and tools where possible. You can continuously monitor cloud environments with a cloud security posture management (CSPM) solution for misconfigurations, compliance violations, vulnerabilities, and more.

Depending on your cloud environment, you could implement more specific tools such as Kubernetes security posture management (KSPM) or data security posture management (DSPM).

More specific mitigation techniques for misconfigurations mentioned above include:

• Protect TCP ports by implementing firewall rules and access control lists to restrict access to only authorized hosts or IP addresses.
• Secure ICMP by using firewall rules to block ICMP ping requests and router filtering to reject packets from suspicious IP addresses.
• Keep S3 buckets secure by implementing policies for AWS identity and access management (IAM) users, as well as S3 bucket policies and AWS Organizations service control and resource control policies.
• Use secure secrets management tools, such as HashiCorp Vault, AWS Secrets Manager, or Google Cloud Secret Manager, to keep passwords, API keys, and other secrets protected.

2. Weak or inadequate IAM controls

As your organization migrates to the cloud and establishes its cloud environments, sometimes not enough thought is given to determining account access to data and applications. Many cloud incidents begin with attackers gaining access to accounts with improper authentication and authorization capabilities.

For one, this can result in some or all accounts having more permissions than necessary. Excessive permissions can result in insider threats or attackers gaining greater access to cloud data than they would if permissions were appropriately limited.

Poor or weak authentication or authorization methods can also make IAM efforts vulnerable to threat actors who can bypass access control to elevate privileges even in user accounts with otherwise typical permissions.

Weak access control examples include only using single-factor authentication, sending password reset emails for those accounts, and not implementing strong password policies and best practices.

How to mitigate weak IAM controls

To start, implement role-based access control (RBAC) so different cloud roles have appropriate authorization levels. Use the principle of least privilege (PoLP) to give individual accounts only the permissions needed to do their role and nothing more. 

Limit the number of admin accounts to just a couple so that if one admin gets locked out, another admin can fix it. Keeping the number of admin accounts low reduces opportunities for attackers.

Strengthen account security by adopting strong password hygiene and policies, including: 

• Require longer but not necessarily complex passwords (otherwise users will forget).
• Create a blocklist of common or easily guessed passwords.
• Use multi-factor authentication (MFA), federated identities, and password managers to reduce user friction during login, while improving account security.

Many traditional IAM tools used for on-premises can work in the cloud. However, the more complex your cloud environment, the less effective they’ll be. Cloud infrastructure entitlement management (CIEM) solutions are worth considering for deeper visibility and security of cloud identities.

3. Code weaknesses

Code weaknesses arise from poor coding practices, inappropriate input validation, and not integrating security into the software development lifecycle. This can lead to vulnerabilities that attackers can exploit.

Common code vulnerabilities include:

• SQL injection: Attackers use malicious input into SQL queries, which can result in database manipulation, data exposure, and authentication bypass.
• Cross-site scripting: XSS attacks occur when threat actors input malicious script into a website, which then executes on a victim’s browser and allows threat actors to impersonate the victim, collect session cookies, and more.
• Buffer overflow: Attackers input more data than a program can contain, which then overflows into adjacent memory locations enabling attackers to overwrite or corrupt the data stored there.

Despite how well-known these code vulnerabilities are, they remain common and successful. MITRE’s list of CWE 2025 Most Dangerous Software Weaknesses includes multiple variations of XSS and buffer overflow attacks, alongside improper input validation and access control.

How to mitigate common code weaknesses

To prevent or stop code weaknesses or vulnerabilities, organizations need to implement secure coding practices during development and use automated tools to scan for common vulnerabilities.

Developers need to use the secure software development lifecycle (SSDLC) to properly add security measures and controls into every phase of development. This helps account for potential risk and identify and remediate potential attack vectors before shipping an app.

Alongside using the SSDLC, developers can prevent or mitigate code vulnerabilities by using: 

• Infrastructure-as-code (IaC) scanning. 
• Runtime security.
• Dynamic application security testing (DAST).
• Data encryption.
• User input validation and data sanitization.

4. Container and image vulnerabilities

More and more cloud workloads utilize containers and Kubernetes (K8s), especially ones dedicated to AI and generative AI. Improper container security can allow attackers to steal stored data and escape containers to move laterally in a system.

In November 2025, three CVEs for runc allowed attackers to start containers with custom mount configurations to bypass security restrictions.

Over time, container images can become outdated and weak to attacks if insecure libraries or dependencies continue to be used and not patched. Additionally, every container running that base image is vulnerable.

Attackers even upload malicious images to public container registries and use similar-sounding names to legitimate images (typosquatting). Admins not paying close attention might miss the typo in a name and deploy malicious images.

How to mitigate container and image vulnerabilities

The first step to discovering container or image vulnerabilities involves scanning each and comparing them for known CVEs. You can integrate security scanning into CI/CD pipelines to check after code changes. This will only identify known vulnerabilities, however.

To find zero days and other unknown vulnerabilities, you should implement container runtime security. Runtime detection identified an additional 10% of hidden malicious images that static analysis and scanning missed.

Runtime security solutions monitor containers for anomalous behavior, discover configuration changes and issues, and work with secrets management tools and security information and event management (SIEM) solutions.

Kubernetes doesn’t natively provide much runtime security, so adopting runtime security tools can enable you to analyze K8s logs and enforce security policies for access control and resource usage.

Some open source enforcement tools for K8s runtime security includes Seccomp, SELinux, and AppArmor, while Falco can provide threat detection based upon K8s audit logs.

Lastly, use Docker security benchmarks from the Center for Internet Security (CIS) for container security best practices. Sysdig’s 2025 Cloud-Native Security and Usage Report showed that use of foundational and granular benchmarks improves overall security and compliance posture.

5. Insecure APIs

The cloud relies on APIs to connect disparate tools and applications to securely exchange data and communicate. Because of how powerful APIs are, attackers now target them frequently.

Weak authentication and authorization protocols, and unpatched vulnerabilities, enable attackers to use APIs to steal sensitive data. For example, attackers used an unpatched vulnerability in the 2024 Snowflake data breach to access data and customers’ personally identifiable information (PII).

Other attacks involved exploiting Google OAuth APIs for session hijacking, exploiting Docusign APIs to conduct phishing attempts, and inundating APIs with too many requests in a DDoS attack.

How to mitigate API vulnerabilities

A good first step is to use API security scanning tools to discover unpatched vulnerabilities and misconfigurations. Schedule regular scanning to identify API vulnerabilities or automate continuous scanning depending on your available tools.

Implement API fuzzing to test how well the API handles unexpected values to parameters and its behavior.

Other ways to secure APIs include:

• Use a web application firewall (WAF) to monitor for and filter malicious traffic.
• Encrypt data to keep data secure in the event an API becomes insecure or vulnerable.
• Implement API authentication such as API keys, OAuth 2.0, and JSON Web Tokens (JWT).
• Use rate limiting to prevent attackers from overwhelming an API with too many requests.
• Deploy API audit logging to help monitor and identify security vulnerabilities and incidents.

6. Shadow IT

Employees often prefer a specific application or service (Slack vs. Microsoft Teams) because they’re more comfortable with it or the approved software is more cumbersome. Now you have software operating outside IT purview, opening you up to security incidents or compliance violations.

Shadow IT has long been an issue, but remote work has exacerbated this problem. Employees could store sensitive data in this unapproved application or the app could lack strong enough security for enterprise use.

Unsanctioned application use can result in data exposure, reduced data storage visibility, and increase your organization’s attack surface.

How to mitigate shadow IT

The best way to reduce shadow IT is twofold: educating employees and gaining visibility into IT use.

Train employees to understand the risk they create for the organization by using unsanctioned applications, whether they used it for communication, cloud storage, or other.

Create policies for employees to prevent and discourage the use of unapproved applications or hardware. But try to meet them in the middle by learning about what they need to get their work done and whether currently sanctioned apps fall short.

Determine if their preferred apps can be adopted and securely managed by the organization. Employees will be less likely to install a tool independently if they understand they can reach out to IT.

Secondly, have your security teams monitor cloud environments and workloads for unapproved applications or dependencies. Security tools like cloud-native application protection platform (CNAPP) can provide automated scanning and visibility into cloud environments.

7. Inadequate monitoring and logging

As organizations adopt disparate cloud tools, monitoring and logging can become more difficult. Visibility into cloud workloads and activity becomes limited and slows down discovering potential security vulnerabilities, misconfigurations, and incidents.

Poor logging can make it challenging to understand what cloud users do and can accidentally obfuscate insider threats.

Data exposure risk increases as organizations spin up and down ephemeral workloads, like containers and virtual machines (VM), but lack proper visibility. From Sysdig’s 2025 usage report, 60% of containers live for a minute or less. Real-time monitoring and logging is needed to keep these short-lived workloads secure.

How to mitigate lack of visibility and logging

Implementing centralized continuous monitoring will improve visibility into cloud workloads and environments, while making it easier on security teams to discover and remediate vulnerabilities and misconfigurations.

Adopt a centralized monitoring solution that enables real-time visibility and logging into your complex cloud infrastructure.

Consider reviewing cloud resources and tools periodically for potential technology consolidation. Having fewer tools and applications in use can improve visibility and reduce the chances of sensitive data stored in unused or forgotten locations.

You can overcome data siloes and disparate tools by adopting a CNAPP solution. A runtime-first CNAPP will provide continuous visibility into cloud environments to reduce lack of visibility and improve vulnerability management.

8. Multi-cloud and hybrid cloud complexity

Just as effective monitoring and security for data and other critical resources can be hindered by disparate cloud tools and workloads, complex multi-cloud or hybrid cloud environments can be, too.

Cloud service providers (CSP) offer security for their cloud services, but this usually doesn’t extend to another cloud, which can result in insufficient protection and connection gaps.

Visibility is a challenge in more complex cloud environments and can lead to policy disparity between environments, inconsistent access control, and shadow IT. 

Security policies may not work between different public clouds or if you have on-prem infrastructure.

Different clouds have different IAM, monitoring, and security capabilities, increasing the possibility for misconfigurations and data exposure. Not all cloud services play well together, creating another possibility for security gaps.

Multi-cloud and hybrid environments can also make it challenging to remain in compliance with different regulations, such as PCI DSS, HIPAA, DORA, or GDPR.

How to mitigate multi-cloud and hybrid cloud complexity

Much like with monitoring and logging issues, complex cloud environments benefit from a centralized and cloud-agnostic security and monitoring solution.

For example, you could use a SIEM tool to collect logs from each cloud environment and use a CNAPP or CSPM solution to monitor for misconfigurations, compliance violations, and security policy violations.

Use policy-as-code to centralize and manage security policies instead of trying to wrangle disparate policies for each cloud. Policy-as-code can also provide authorization control, K8s control, and infrastructure provisioning.

Add automation where possible, such as for security alerts and threat detection, to reduce the burden on your security teams.

Implement zero trust architecture to secure all cloud environments under one methodology. “Never trust, always verify” works well for complex cloud environments.

9. Poor data protection

Whether at rest or in transit, you need to keep data secure. Without data encryption, attackers can view and exfiltrate sensitive data, especially if it’s in improperly configured cloud storage.

Sensitive data remains at risk if encryption is misconfigured or if there is improper key management. Examples of poor key management include not rotating keys, hardcoding keys into HTML or source code, and inadequate access control.

How to mitigate poor data protection

Unsurprisingly, the first step involves encrypting data at rest and in transit to limit what attackers can do after a data breach.

Your organization should consider researching and implementing cryptographic standards resistant to quantum computing in the future so you don’t need to migrate to another standard later. Use HTTPS to encrypt data in transit.

Misconfiguring cloud storage or an S3 bucket becomes less of a security incident with proper data encryption. But configure cloud storage with secure authentication to limit who can access the encrypted data.

Other ways to strengthen data protection include:

• Using PoLP to limit employee access.
• Implementing MFA and strong password policies.
• Adopting monitoring and logging solutions to spot suspicious or abnormal behavior.
• Training employees on phishing, other common attacks, and proper data storage methods.
• Using a hardware security module solution to keep encryption keys secure.

10. Unpatched software and systems

Keeping up with constant patches and rolling it out to the entire organization can be a challenge. Timely patching of software and systems reduces the chances of attackers exploiting a critical vulnerability.

Organizations are vulnerable following the public disclosure of CVEs up until it’s patched. The Verizon DBIR reported that it took teams a median time of 32 days to patch a vulnerability – if it’s done at all.

With the rise of AI, threat actors can very quickly create proof-of-concept attacks and working exploits to use against vulnerable environments. Security teams no longer have the luxury of time when it comes to addressing unpatched cloud vulnerabilities.

How to mitigate unpatched vulnerabilities

To reduce the risk of attackers exploiting unpatched vulnerabilities, organizations need to implement patch and vulnerability management. Automated vulnerability scanning enables organizations to understand where unpatched vulnerabilities exist.

From there, evaluate each vulnerability discovered and create a prioritized list of the ones most likely to affect active packages and software. Not every published CVE will relate to your organization or be a viable weakness.

Once vulnerabilities are identified, determine ownership for those deemed impactful for your organization and have those teams remediate vulnerabilities. Once done, create a report to understand where vulnerabilities existed and how quickly they were fixed.

Use automation and agentic cloud tools to identify, remediate, and create a report. CNAPP solutions, for example, often have automated vulnerability management capabilities.

11. Supply chain vulnerabilities

The software supply chain is now a popular attack vector because while your organization might have strong security, third parties with access to your data might not. 

Developers increasingly rely on third-party tools, software components, and dependencies to speed up application development. Vulnerabilities in these third-party technologies can create an attack vector into your organization. 

In 2025, the Shai-Hulud worm targeted the popular NPM package manager for JavaScript runtime environment Node.js and infected several repositories.

How to mitigate supply chain vulnerabilities

To help prevent and mitigate the impact of third-party vulnerabilities from affecting your organization, create software bills of materials (SBOM) for all software. SBOMs provide a comprehensive inventory of all components, dependencies, and libraries that comprise an application.

Creating your own and requesting SBOMs from suppliers enables you to determine where you use third-party tools and software so you can monitor for potential vulnerabilities.

Alongside using SBOMs, implement security hygiene that considers incidents from third-party vulnerabilities, use runtime security to continuously monitor for threats, and shift security left.

How to secure your organization from threats

The quantity of critical vulnerabilities for an organization will astonish, but there are ways to keep up and address them.

Alongside the specific mitigation techniques mentioned above for common cloud vulnerabilities, some general vulnerability management best practices include the following:

1. Implement the vulnerability management lifecycle of discover, prioritize, remediate, and report.
2. Shift left security for a secure software development lifecycle.
3. Combine vulnerability scanning with runtime security.
4. Adopt continuous compliance like drift detection and posture management.
5. Use strong IAM, such as RBAC and MFA.
6. Automate wherever possible to lessen workload of security and development teams.
7. Align vulnerability prioritization with threat intelligence.
8. Develop an efficient and effective patch management strategy.
9. Implement security testing to ensure vulnerabilities are truly remediated.
10. Develop policies and procedures on how to discover, prioritize, remediate, and report on vulnerabilities.
11. Collaborate between security and development teams to tackle vulnerabilities.

Discover and mitigate cloud vulnerabilities with Sysdig

Attackers look to exploit common cloud vulnerabilities as soon as they exist. You need to move at cloud speed just to keep up and ensure your organization is secure.

With Sydig’s vulnerability management solution, you get runtime insights to understand the context around security vulnerabilities. By knowing the risk each vulnerability presents, you can prioritize remediating the ones most likely to affect you.

You can accelerate your vulnerability prioritization and response with Sysdig Sage-enabled vulnerability management. Sage helps speed up response to reduce exposure time from days to minutes.

Read here to learn about how to do vulnerability management the right way with Sysdig.