Meta News

Kubernetes Environments See Increase in Threats

Summary: A recent report from Unit 42, the threat intelligence unit of Palo Alto Networks, reveals a concerning rise in targeted attacks against Kubernetes environments: a 282% increase over the past year, with the IT sector being the primary victim.

A recent report from Unit 42, the threat intelligence unit of Palo Alto Networks, highlights an alarming growth in directed attacks on Kubernetes environments: a 282% increase over the last year.

The study not only quantifies the rise but also exposes a more worrying reality: attackers are perfecting techniques to exploit identities, weak configurations, and known vulnerabilities in cloud-native infrastructures.
One of the most critical findings of the report is the abuse of identities within Kubernetes.

Attackers are focusing on:

- Service Account tokens
- Excessive permissions in roles and bindings
- Access to the Kubernetes API server

When these tokens are compromised, they allow adversaries to:

- Authenticate as legitimate components
- Execute actions within the cluster
- Elevation of privileges without the need to exploit additional vulnerabilities

This makes identity one of the weakest points in the Kubernetes security model.

Exploitation of Vulnerabilities and Initial Access

The report also highlights the use of publicly known vulnerabilities such as:

- CVE-2025-55182

These flaws allow attackers to:

- Gain initial access to poorly configured clusters
- Execute arbitrary code
- Compromise exposed workloads

The combination of known vulnerabilities with poor configurations continues to be one of the main entry points.

Once inside, attackers do not stop at the initial point of access.

The report describes scenarios where:

- Pods and namespaces are moved between
- Secrets stored in the cluster are accessed
- Privileges are escalated to control complete nodes

This lateral movement allows attackers to reach critical systems, including:

- Financial platforms
- Sensitive databases
- High-value internal services

Advanced Techniques: Abuse of Frameworks and Remote Execution
A particularly interesting aspect of the report is the use of modern techniques to facilitate attacks:

- Usage of code in frameworks like React
- Injection of payloads that enable remote code execution (RCE)
- Concealment of malicious activities within legitimate applications
This demonstrates a convergence between frontend development and backend attack vectors.

Key facts

  • 282% increase in threats to Kubernetes environments over the past year.
  • IT sector observed at 78% of activities.
  • Exploitation of Service Account tokens and CVE-2025-55182.

Why it matters

This report is crucial for security defenders as it provides practical strategies to prevent and detect threats in Kubernetes environments, transforming them into resilient and defensible platforms against attacks.

Tags:
Kubernetes Cloud Threat Research

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source

Source: https://unit42.paloaltonetworks.com/modern-kubernetes-threats/

Published on