Security News > 2023 > September > Hackers exploit MinIO storage system to breach corporate networks

Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.
During an incident response engagement, Security Joes analysts discovered that attackers attempted to install a modified version of the MinIO application, named Evil MinIO, which is available on GitHub.
As part of the attack, Evil MinIO chains both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the MinIO software with modified code that adds a remotely accessible backdoor.
Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO SECRET KEY and MINIO ROOT PASSWORD variables.
These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client.
News URL
Related news
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- ⚡ Weekly Recap: VPN Exploits, Oracle's Silent Breach, ClickFix Surge and More (source)
- Hackers lurked in Treasury OCC’s systems since June 2023 breach (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Lazarus hackers breach six companies in watering hole attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-22 | CVE-2023-28434 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 8.8 |
2023-03-22 | CVE-2023-28432 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |