Wiz Researchers Discover Critical AWS Console Vulnerability That Could Have Compromised Every Customer
Wiz researchers uncovered a critical cloud-stunt vulnerability in the AWS Console that, combined with a supply-chain issue in AWS CodeBuild, could have allowed attackers to gain control of any AWS customer's environment.
Wiz researchers have disclosed a critical vulnerability in the AWS Console vulnerability that, when chained with a supply-chain weakness in AWS CodeBuild, could have allowed attackers to seize control of any AWS customer's cloud environment. The flaw, described as detailed in a Wiz blog post, represents a 'cloud-stunt' attack that exploits the trust relationships between AWS services to achieve broad cross-account compromise. AWS has since addressed the issue, though no CVE-ID was assigned.
The attack chain begins with a misconfiguration in the AWS Console, where Wiz researchers identified a mechanism to escalate privileges by manipulating the service's handling of cross-account roles. By abusing a misconfiguration in AWS CodeBuild, the researchers were able to inject malicious build artifacts that would be executed within a target customer's environment. This supply-chain vector allowed the attacker to effectively become an administrator of the victim's AWS account, gaining access to all resources, including S3 buckets, EC2 instances, and Lambda functions.
The impact of this vulnerability is staggering. With over one million active AWS customers, including major enterprises, governments, and startups, the potential for a single attacker to compromise any account would have represented a catastrophic failure of cloud security. The attack required no prior access to the victim's account and could be launched from a standard AWS user account, making it a low-barrier, high-impact threat. Wiz researchers demonstrated the attack in a controlled environment, confirming that it worked against a wide range of AWS configurations.
AWS has implemented mitigations to close the vulnerability, though the company has not disclosed the exact nature of the fix. The Wiz team noted that the flaw was reported through AWS's vulnerability disclosure program and was resolved within a reasonable timeframe. However, the lack of a CVE-ID has drawn criticism from some security experts, who argue that such a critical issue warrants formal tracking to ensure organizations can verify their exposure.
The discovery highlights a growing trend in cloud security research: chaining seemingly minor misconfigurations across multiple services to achieve catastrophic results. As cloud environments become increasingly complex, with hundreds of interconnected services, the interconnected services, the attack surface expands exponentially. This incident serves as a stark reminder that cloud providers must rigorously audit their own infrastructure for cross-service trust issues, and that customers should adopt a zero-trust model even within their cloud accounts.
For AWS customers, the immediate takeaway is to review their CodeBuild configurations and ensure that cross-account roles are tightly scoped. While AWS has patched the specific vulnerability, the underlying architectural patterns that enabled this attack may persist in other services. Security teams should also monitor for unusual build activity and implement strict controls on build artifact sources. The Wiz research team has promised to release further technical details in the coming weeks, which will help the community better understand and defend against similar attack chains.