Kaspersky Container Security Adds KIRA AI Assistant to Scan Docker Images for Vulnerabilities and Misconfigurations
Kaspersky Container Security now includes the KIRA AI assistant to analyze Docker images for vulnerabilities and misconfigurations, revealing that 90% of popular Docker Hub images contain outdated packages with critical flaws.
Kaspersky Container Security has integrated a new AI assistant named KIRA to automatically analyze Docker images for software vulnerabilities, insecure configurations, and other security risks. The tool, detailed in a May 29, 2026 report from Securelist, scans container images across all layers, identifying outdated packages and providing remediation recommendations. The announcement comes as containerized infrastructure becomes an increasingly attractive target for attackers seeking to launch DDoS attacks, cryptocurrency mining, or lateral movement within enterprise networks.
KIRA uses artificial intelligence to inspect Dockerfiles and underlying base images, flagging issues that developers might overlook when pulling pre-built images from repositories like Docker Hub. According to Kaspersky, many popular images are snapshots of Linux distributions that do not receive automatic security updates, unlike traditional servers. To demonstrate the scale of the problem, Kaspersky scanned a random sample of 100 popular Docker Hub images with 10,000 to 1 million downloads each. The results showed that 64 of those images contained outdated software versions with critical vulnerabilities, and only one in ten images was fully up to date.
Among the critical vulnerabilities discovered were CVE-2025-55182 in React Server Components, which was actively exploited within a day of disclosure by campaigns ranging from cryptocurrency miners to Mirai and Gafgyt botnets. Other flaws included CVE-2025-49844 in Redis server, leading to remote code execution via a Lua parser vulnerability; CVE-2026-24061 in nginx, which can cause server crashes or RCE when ASLR is disabled; and privilege escalation flaws like CVE-2025-32463 in sudo and CVE-2023-4911 (Looney Tunables) in glibc. The report noted that attackers are rapidly incorporating both remote and local vulnerabilities into their arsenals, using the latter for privilege escalation and container escape.
The KIRA assistant not only identifies vulnerabilities but also highlights insecure configurations that could lead to container escape or lateral movement. Kaspersky emphasized that attackers often exploit configuration errors, such as running containers with excessive privileges or exposing sensitive ports. The tool provides actionable recommendations to fix each issue, helping security teams prioritize remediation. The report also warned that attackers are using compromised containers to automatically search for and infect new targets, as seen in campaigns spreading the Dero miner.
Kaspersky's findings underscore a broader trend in container security: the rapid weaponization of disclosed vulnerabilities. The report noted that attackers are constantly adding new distribution methods and can use dozens of exploits targeting various vulnerabilities and configuration errors in popular services. For example, the Kinsing malware campaign used CVE-2023-4911 to elevate privileges, while the perfctl campaign leveraged CVE-2021-4034 (PwnKit) to install rootkits. These examples highlight the importance of continuous scanning and patching for containerized environments.
The integration of KIRA into Kaspersky Container Security reflects a growing industry move toward AI-assisted vulnerability management. By automating the analysis of container images, the tool aims to reduce the burden on security teams and accelerate the identification of critical flaws. As container adoption continues to rise, tools like KIRA may become essential for maintaining security in DevOps pipelines, especially given the prevalence of outdated packages in public repositories.