INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Container Security Threat Analysis with KIRA AI

| 2026-05-29 07:00 MEDIUM HIGH
JSON
Executive Summary AI-generated
The threat landscape is rapidly evolving, with new vulnerabilities and attack vectors emerging daily. A compromised container can be used for devastating Distributed Denial of Service (DDoS) attacks, cryptocurrency mining, or traffic proxying. Privilege escalation in Linux systems remains a common vector, allowing attackers to execute arbitrary commands as root without entering a password. Insecure file permissions also pose a significant risk, leading to privilege escalation and unauthorized access. The use of Docker images as snapshots of specific Linux distributions makes them vulnerable to exploitation by attackers who can inject malicious code into the container. As a result, organizations must prioritize robust security measures, including regular updates, patching, and monitoring for potential vulnerabilities.
Technical Mitigations AI-generated
• Regularly rebuild and redeploy Docker images to ensure timely updates. • Use automated update processes for Docker images, if possible. • Verify the correct operation of updates by modifying configurations when upgrading.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
KinsingKinsing CVE-2021-4034CVE-2021-4034 CVE-2026-24061CVE-2026-24061 CVE-2025-55182CVE-2025-55182 CVE-2025-49844CVE-2025-49844 CVE-2023-4911CVE-2023-4911 CVE-2025-32463CVE-2025-32463
Target & Sectors
Global Scope
Incident Timeline
‎March 2026
The archive was compromised by replacing the archive with malicious content, which led to its complete compromise and allowed attackers to move laterally within the infrastructure.
infrastructure Linux
Privilege escalation in the container One of the most common vectors for initial compromise of Linux systems is RCE in web applications and network services.
organisation changeMePlease PKP_WEB_CONF=/etc/apache2/
Consider the following Dockerfile snippet: ENV SERVERNAME=localhost WWW_PATH_CONF=/etc/apache2/apache2.conf WWW_PATH_ROOT=/var/www HTTPS=on PKP_CLI_INSTALL=0 PKP_DB_HOST=db PKP_DB_NAME=pkp PKP_DB_USER=pkp PKP_DB_PASSWORD=changeMePlease PKP_WEB_CONF=/etc/apache2/conf-enabled/pkp.conf PKP_CONF=config.inc.php PKP_CMD=/usr/local/bin/pkp-start In this example, the environment variable PKP_DB_PASSWORD is set to changeMePlease .
infrastructure 7.2-dev
Additionally, consider using a fixed release (tag) rather than the floating 7.2-dev branch.
organisation KCS
Insecure image configurations detected by KCS based on rules The situation is exacerbated by the fact that errors may be introduced by the authors of the original image, which complicates their detection, as this requires analyzing every layer and the command that generated it.
organisation KIRA AI
Later in this section, we will examine examples of typical insecure configurations we discovered while scanning public images from Docker Hub, along with the descriptions of issues and risk mitigation methods provided by the KIRA AI assistant.
organisation SSH
If SSH or another form of interactive access is enabled in the container, this could lead to its complete compromise and allow attackers to move laterally within the infrastructure.
organisation Kubernetes Secrets
We also recommend using mechanisms for securely passing secrets at runtime (Docker secrets, Kubernetes Secrets) or, as a last resort, passing them via --secret during the build with BuildKit, but under no circumstances should they be left in the final image.
organisation BuildKit
We also recommend using mechanisms for securely passing secrets at runtime (Docker secrets, Kubernetes Secrets) or, as a last resort, passing them via --secret during the build with BuildKit, but under no circumstances should they be left in the final image.
organisation SQL
If an attacker gains the ability to execute code on behalf of the postgres user – through a vulnerability in a network service, an SQL injection, or by compromising of one of the processes – they will immediately and unconditionally be able to execute any commands on behalf of the root user.
organisation chmod 0755
To mitigate the risks, you can set the minimum necessary permissions: chmod 0755 for directories and chmod 0755/0644 for the corresponding files.
organisation DNS
An attacker controlling the communication channel or DNS can replace the archive with malicious content, which will compromise the container and the entire environment in which it runs.
organisation HTTPS
To mitigate the risks, you can configure connections to web resources to use HTTPS only — if the resource supports this protocol.
organisation checksum
You can also download the archive without extracting it, compare its checksum (SHA256) with the checksum from a trusted source, and only then extract it.
organisation PHP
Since the archive contains PHP code that will be executed by the web server, compromise during the build phase will result in the deployment of a backdoor or data leakage.
organisation Conclusion Docker
Conclusion Docker containers have become a very popular means of deploying software, and attackers are by no means oblivious to this trend.
‎2026/05/29
The attackers used the CVE-2023-4911 vulnerability in PwnKit to elevate privileges.
organisation DDoS
At a minimum, a compromised container can be used for DDoS attacks, cryptocurrency mining, or traffic proxying.
infrastructure Linux
A Docker image is, by its very nature, a snapshot of a specific Linux distribution after packages have been installed on it.
However, in most cases, it does not receive security updates on its own, unlike traditional Linux servers, where these updates are automatically installed by specialized services, such as unattended-upgrades in Debian-based distributions and dnf-automatic in RedHat-based distributions.
organisation RedHat
However, in most cases, it does not receive security updates on its own, unlike traditional Linux servers, where these updates are automatically installed by specialized services, such as unattended-upgrades in Debian-based distributions and dnf-automatic in RedHat-based distributions.
organisation CVE-2023-4911
In addition to vulnerabilities that can be exploited remotely, attackers are rapidly adding local vulnerabilities to their arsenal, used to gain root privileges and escape the container: in the Kinsing malware campaign, attackers used CVE-2023-4911 (Looney Tunables) to elevate privileges, and in the perfctl campaign, the CVE-2021-4034 (PwnKit) vulnerability was used for the same purpose.
organisation CVE-2025-32463
For example, some images contained the CVE-2025-49844 vulnerability in the Redis server, leading to RCE by leveraging a vulnerability in the Lua parser; the current CVE-2026-24061 vulnerability in nginx, which in some configurations leads to a server process crash, and with ASLR disabled, again, to RCE; vulnerabilities CVE-2025-32463 in sudo and CVE-2023-4911 in glibc, allowing an attacker to gain root privileges with local access.
organisation CVE-2025
For example, some images contained the CVE-2025-49844 vulnerability in the Redis server, leading to RCE by leveraging a vulnerability in the Lua parser; the current CVE-2026-24061 vulnerability in nginx, which in some configurations leads to a server process crash, and with ASLR disabled, again, to RCE; vulnerabilities CVE-2025-32463 in sudo and CVE-2023-4911 in glibc, allowing an attacker to gain root privileges with local access.
organisation Redis
For example, some images contained the CVE-2025-49844 vulnerability in the Redis server, leading to RCE by leveraging a vulnerability in the Lua parser; the current CVE-2026-24061 vulnerability in nginx, which in some configurations leads to a server process crash, and with ASLR disabled, again, to RCE; vulnerabilities CVE-2025-32463 in sudo and CVE-2023-4911 in glibc, allowing an attacker to gain root privileges with local access.
organisation RCE
For example, some images contained the CVE-2025-49844 vulnerability in the Redis server, leading to RCE by leveraging a vulnerability in the Lua parser; the current CVE-2026-24061 vulnerability in nginx, which in some configurations leads to a server process crash, and with ASLR disabled, again, to RCE; vulnerabilities CVE-2025-32463 in sudo and CVE-2023-4911 in glibc, allowing an attacker to gain root privileges with local access.
organisation CVE-2026
For example, some images contained the CVE-2025-49844 vulnerability in the Redis server, leading to RCE by leveraging a vulnerability in the Lua parser; the current CVE-2026-24061 vulnerability in nginx, which in some configurations leads to a server process crash, and with ASLR disabled, again, to RCE; vulnerabilities CVE-2025-32463 in sudo and CVE-2023-4911 in glibc, allowing an attacker to gain root privileges with local access.
organisation Kaspersky Container Security
Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant.
organisation Docker
To minimize the risk of successful attacks on container infrastructure, it is essential to check the final Docker images, including all underlying layers, for vulnerabilities and misconfigurations.
organisation Dockerfile
The easiest way to do this is by analyzing the Dockerfile; however, it is not always available for inspection.
organisation KIRA
As part of this study, we asked KIRA to analyze a number of popular community images, and later in this article, we’ll show you the results.
organisation Mirai
It was adopted by operators of many malicious campaigns, ranging from classic cryptocurrency miners to variants of Mirai and Gafgyt.
organisation DockerHub
To assess the situation with unpatched vulnerabilities in containers, we took a random sample of 100 images, which included various popular solutions with 10,000 to 1 million downloads on DockerHub.
infrastructure 10,000 downloads
To assess the situation with unpatched vulnerabilities in containers, we took a random sample of 100 images, which included various popular solutions with 10,000 to 1 million downloads on DockerHub.
infrastructure 1 downloads
To assess the situation with unpatched vulnerabilities in containers, we took a random sample of 100 images, which included various popular solutions with 10,000 to 1 million downloads on DockerHub.
organisation PoC
TOP 10 Critical Vulnerabilities with PoC/Exploits available as shown in the Kaspersky Container Security Dashboard
organisation the Kaspersky Container Security
TOP 10 Critical Vulnerabilities with PoC/Exploits available as shown in the Kaspersky Container Security Dashboard
organisation ENV
Let’s look at another image: /bin/sh -c #(nop)  ENV MOODLE_URL=<a href=" MOODLE_ADMIN admin       MOODLE_ADMIN_PASSWORD
organisation HEALTHCHECK &amp;{[""CMD-SHELL
Passing passwords via command arguments In some cases, passwords may be exposed when passed via command-line arguments, as these arguments are visible to all users on the system: /bin/sh -c #(nop)  HEALTHCHECK &amp;{[""CMD-SHELL"" ""mysql --protocol TCP -u\""root\"" -p\""$MYSQL_ROOT_PASSWORD\"" -e \""SELECT 1;\""""] ""15s"" ""30s"" ""0s"" '\x05'} In the example provided, the MySQL superuser password is passed into the healthcheck command in plaintext, making it visible when viewing the process list (ps aux), in audit logs, and in monitoring systems.
organisation ps aux)
Passing passwords via command arguments In some cases, passwords may be exposed when passed via command-line arguments, as these arguments are visible to all users on the system: /bin/sh -c #(nop)  HEALTHCHECK &amp;{[""CMD-SHELL"" ""mysql --protocol TCP -u\""root\"" -p\""$MYSQL_ROOT_PASSWORD\"" -e \""SELECT 1;\""""] ""15s"" ""30s"" ""0s"" '\x05'} In the example provided, the MySQL superuser password is passed into the healthcheck command in plaintext, making it visible when viewing the process list (ps aux), in audit logs, and in monitoring systems.
organisation NOPASSWD
Consider the following example: /bin/sh -c set -xe;     apt-get update &amp;&amp;       apt-get -y install sudo;       echo ""solr ALL=(ALL) NOPASSWD: ALL"" &gt;/etc/sudoers.d/solr;
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
Privilege escalation in the container One of the most common vectors for initial compromise of Linux systems is RCE in web applications and network services.
A Docker image is, by its very nature, a snapshot of a specific Linux distribution after packages have been installed on it.
However, in most cases, it does not receive security updates on its own, unlike traditional Linux servers, where these updates are automatically installed by specialized services, such as unattended-upgrades in Debian-based distributions and dnf-automatic in RedHat-based distributions.
Metrics
infrastructure
‎7.2-dev
Software Version
Additionally, consider using a fixed release (tag) rather than the floating 7.2-dev branch.
Metrics
infrastructure
10,000,000,000
Downloads
To assess the situation with unpatched vulnerabilities in containers, we took a random sample of 100 images, which included various popular solutions with 10,000 to 1 million downloads on DockerHub.
Metrics
infrastructure
1,000,000
Downloads
To assess the situation with unpatched vulnerabilities in containers, we took a random sample of 100 images, which included various popular solutions with 10,000 to 1 million downloads on DockerHub.
Intelligence Sources
Kaspersky 2026-05-29
Kaspersky 2026-05-29