During a recent adversary simulation for a Fortune 500 client in the financial sector, the Fugusan Threat Lab identified a critical logic flaw in a widely deployed Enterprise Cloud Telemetry Agent. By chaining a seemingly low-impact Local File Inclusion (LFI) vulnerability with a poorly scoped IAM execution role, we were able to escalate privileges to SYSTEM/root across the entire cloud fleet — 847 instances.
Vulnerability Overview
The agent exposes a local web server on port 8081 for configuration parsing. The ?template= parameter failed to sanitize directory traversal sequences, allowing arbitrary file reads on the host system.
IAM Role Abuse — The Real Escalation
Extracting the JWT token was only the first step. Decoding the payload revealed the agent was assigned an IAM role with UpdateEnvironment permission — far broader than needed for telemetry collection. This allowed us to push an arbitrary deployment script to every host in the fleet.
Business Impact
This vulnerability chain allowed a low-privileged attacker with network access to the loopback interface (trivially achievable via any SSRF) to achieve remote code execution as SYSTEM across an organization's entire cloud fleet. In a real breach scenario, this would enable:
- Mass deployment of ransomware or cryptominer to all cloud instances
- Exfiltration of all secrets stored in environment variables fleet-wide
- Persistent backdoor installation surviving instance reboots
- Lateral movement to any service the agent fleet could reach
Remediation
We disclosed this vulnerability to the vendor under responsible disclosure, resulting in CVE-2026-10492 being issued. Patch timeline: reported Jan 15, 2026 → patched Feb 28, 2026 → publicly disclosed April 1, 2026.
- Update the agent to version 4.1.2 or later immediately
- Audit all IAM roles attached to service accounts — enforce least privilege rigorously
- Block port 8081 from all inbound/loopback connections except localhost service user
- Implement egress filtering to prevent reverse shells from cloud instances