Security Training Apps Become New Attack Vector for Malicious actors

Table of Contents

A new report reveals a concerning trend: security training applications, designed to enhance cybersecurity posture, are being exploited by malicious actors to gain access to cloud resources. This creates a novel and easily exploitable attack vector online.

  • A report published January 21, 2026, revealed widespread exploitation of security training applications.
  • These applications, designed for safe learning, are being compromised to gain access to cloud resources.
  • The issue affects organizations across multiple cloud platforms,including Amazon Web Services,Google Cloud,and Microsoft Azure.
  • Attackers are leveraging these vulnerabilities for remote code execution, credential theft, and cryptocurrency mining.

Imagine setting up a practice lock for aspiring burglars, then leaving the key under the mat. That’s essentially what’s happening with a growing number of security training applications, according to a recent investigation. Threat actors are actively exploiting intentionally vulnerable applications-tools designed to help security teams learn-to breach systems and steal data. The scale of the problem is alarming, with researchers identifying over 10,000 of these applications publicly accessible online.

The Allure of Predictable Vulnerabilities

Applications like OWASP Juice Shop, bWAPP, Damn Vulnerable Web Application, and Hackazon are intentionally built with known security flaws. The idea is to provide a safe, controlled habitat for security professionals to practice their skills and understand attack vectors. Though, the report showed that when these applications are deployed on real cloud infrastructure, connected to legitimate permissions, and left exposed, they become easy targets for malicious actors.

The investigation revealed that attackers are using these compromised applications to achieve remote code execution, deploy webshells, install cryptocurrency miners, and, critically, extract cloud credentials.In one instance, a Hackazon application running on a production Amazon Web Services (AWS) Elastic compute Cloud server was breached through an insecure file upload function. Once inside, the attackers accessed cloud metadata services, obtained credentials, and expanded their access within the environment.

A Systemic Operational Issue

Researchers found these vulnerable applications hosted on Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, with many belonging to Fortune 500 companies and major security vendors. The ease with which attackers can exploit these applications stems from several factors. Many instances are deployed with default credentials, unpatched components, or excessive cloud permissions.

Why are security training apps being exploited? As they offer a predictable and low-effort attack path. The vulnerabilities are well-documented and easy to exploit, making them attractive targets for attackers seeking swift wins.

Moreover, as these applications are frequently enough viewed as harmless “lab tools,” they are frequently excluded from standard monitoring, logging, and patching procedures. This lack of oversight allows attackers to operate undetected for extended periods, extracting credentials and moving laterally through production systems.

mitigating the Risk

The core issue is a blind spot in security practices: tools intended for safe learning are being deployed in real-world environments with real privileges. This creates a new type of supply-chain vulnerability that impacts not only the organizations directly hosting these applications but also their vendors, cloud providers, and managed service providers.

To mitigate this risk, organizations shoudl remove or isolate intentionally vulnerable training applications from production networks and cloud environments. Rest