Full Report
A new hacking competition called Zeroday Cloud, focused on open-source cloud and AI tools, announced a total prize pool of $4.5 million in bug bounties for researchers that submit exploits for various targets. [...]
Analysis Summary
# Vulnerability: Zeroday Cloud Hacking Contest Targets Cloud/AI Open-Source Software
## CVE Details
- CVE ID: N/A (This article details a Bounties/Hacking Contest, not a specific, published vulnerability.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Ollama, Vllm, Nvidia Container Toolkit, Kubernetes API Server, Kubelet Server, Grafana, Prometheus, Fluent Bit, Docker, Containerd, Linux Kernel (Ubuntu specified), nginx, Apache Tomcat, Envoy, Caddy, Redis, PostgreSQL, MariaDB, Apache Airflow, Jenkins, GitLab CE.
- Versions: Specific versions are not listed in the announcement; testing is conducted against default configurations provided by the organizers.
- Configurations: Targets are run in default configurations provided via Docker containers for testing.
## Vulnerability Description
This article describes the announcement and structure of the "Zeroday Cloud" hacking competition, which offers a total of $4.5 million in bug bounties for researchers who can discover and successfully exploit security vulnerabilities in specified open-source cloud and AI technologies. The required impact for a successful submission is significant: complete compromise, defined as a full Container/VM Escape for virtualization targets, or 0-click Remote Code Execution (RCE) for other targets.
## Exploitation
- Status: Hypothetical/In-development (Researchers are actively trying to find exploits for these targets to win bounties).
- Complexity: Varies based on target ($10k to $300k bounties suggest varying levels of required complexity).
- Attack Vector: Primarily Remote (RCE) or Host-level compromise (Container/VM Escape).
## Impact
The potential impact depends entirely on the vulnerability discovered, but successful exploits target:
- Confidentiality: High (Due to potential RCE/System compromise)
- Integrity: High (Due to potential RCE/System compromise)
- Availability: High (Due to potential RCE/System compromise)
## Remediation
### Patches
- None are currently listed, as this announcement is about discovering new, previously unknown vulnerabilities (Zero-Days). Patches will be developed after successful submissions.
### Workarounds
- No general workarounds are provided, as the targets are broad open-source components. Applying vendor security updates immediately upon their release (after exploitation is confirmed) would be the necessary step.
## Detection
- **Indicators of Compromise:** Undetermined until specific vulnerabilities are found. General detection should focus on anomalous activity within containers, container escapes, unexpected outbound network connections from cloud-native workloads, and unusual privilege escalation attempts.
- **Detection methods and tools:** Standard cloud security posture management (CSPM), container runtime security tools (e.g., Falco), and endpoint detection and response (EDR) solutions should monitor for the behavior associated with RCE or privilege escalation within the listed software stacks.
## References
- Zeroday Cloud Competition Homepage: hxxps://www.zeroday.cloud/
- Conditions and Resources: hxxps://github.com/wiz-sec-public/zeroday-cloud-2025
- Contest Rules: hxxps://www.zeroday.cloud/rules