More than half of exposed security training applications are still protected by default credentials, a gap that threat actors are actively exploiting to compromise cloud environments, according to new research from Pentera Labs.
The study examined 1,926 publicly accessible vulnerable applications, including Damn Vulnerable Web Application (DVWA), OWASP Juice Shop, bWAPP, and Hackazon, with DVWA representing the most critical findings.
Of the 1,926 verified vulnerable application instances discovered across multiple platforms, 616 were DVWA deployments. Of these DVWA instances, 334 (representing 54%) were accessible using the default “admin:password” login, the highest default-credential exposure rate among the applications surveyed.
That single oversight was enough to grant attackers full administrative control and allow them to downgrade internal security settings, making every built-in vulnerability easy to exploit.
Once logged in, attackers leveraged insecure file upload functionality to deploy PHP web shells. These malicious scripts provided complete control over the underlying server, including file system access, command execution, and long-term persistence through self-healing processes that automatically respawned if removed.
How A Training App Turns Into A Cloud Breach
Pentera Labs’ research focused on cloud-hosted environments running on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. After achieving Remote Code Execution (RCE), attackers rapidly shifted from application exploitation to cloud compromise by harvesting credentials from instance metadata services.
The report documents a consistent attack chain enabling high-impact outcomes, from credential harvesting (SSH keys, API tokens) and IAM escalation via metadata services, to data exposure in cloud storage and persistence through crypto-mining instances. These attacks were verified in real-world cases affecting major vendors including Cloudflare, F5, and Palo Alto Networks.
In multiple verified cases, attackers escalated privileges to gain administrator-level access across entire cloud accounts, allowing them to exfiltrate sensitive data, manipulate resources, or embed long-term backdoors, without ever returning to the original training application.
The research shows that none of the observed compromises required zero-day vulnerabilities or advanced techniques. Instead, they relied on basic failures such as unchanged default credentials, excessive permissions, and unmanaged cloud assets.
