• Cloud Security Newsletter
  • Posts
  • 🚨 Azure Wormable Bug Exposes Cloud Infrastructure, Lessons from Booking.com's 2M+ Secrets at Scale

🚨 Azure Wormable Bug Exposes Cloud Infrastructure, Lessons from Booking.com's 2M+ Secrets at Scale

A wormable RCE hits Azure Monitor Agent. The Verizon DBIR shows known vulnerability exploits are catching up to credential theft. And Booking.com reveals the tipping point where cloud-native secrets management breaks.

Author

Shilpi Bhattacharjee
July 10, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Lessons from Booking.com's 2M+ Secrets at Scale (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

This week brings critical infrastructure vulnerabilities alongside proven enterprise strategies for securing complex cloud environments. We examine the first cloud-native wormable bug of 2025 affecting Azure Monitor Agent, while learning from Booking.com's approach to managing secrets across bare metal, multi-cloud, and hybrid environments at massive scale.

Our featured expert, Dan Popescu from Booking.com, shares battle-tested insights from managing over 2 million secrets with 400,000-500,000 requests per minute across AWS, GCP, Azure, and bare metal infrastructure demonstrating why cloud-native solutions don't always scale for enterprise hybrid environments.

📰 TL;DR for Busy Readers (New Addition!)

  • Azure’s first wormable RCE of 2025 (CVE-2025-47988) targets telemetry agents with lateral movement potential.

  • Exploitation of known vulns is up 34%, nearly eclipsing credential theft, per Verizon’s DBIR.

  • Booking.com manages 2M+ secrets across hybrid infrastructure, sharing where cloud-native tooling fails and why.

  • AWS expands GuardDuty to cover Aurora Limitless, pushing security-by-default deeper into data layers.

📰 THIS WEEK'S SECURITY HEADLINES

1. Azure Monitor Agent’s Wormable RCE (CVE-2025-47988)

Microsoft’s July Patch Tuesday dropped a bombshell: the first wormable cloud-native vuln of 2025. CVE-2025-47988, a critical vulnerability allowing unauthorized attackers to execute code over adjacent networks through Azure Monitor Agent. This represents the first cloud-native wormable vulnerability of 2025, requiring no user interaction for exploitation.

🧠 Insight: Many orgs disabled automatic extension upgrades for stability—this may now expose them to unpatched attack surfaces. Patch manually if needed.

📌 Why It Matters: Azure Monitor Agent is deployed across enterprise cloud environments for telemetry collection, making this a significant attack surface. While the adjacent network requirement limits immediate internet exposure, enterprise networks with compromised endpoints could enable lateral movement. Organizations that disabled automatic extension upgrades face potential patch deployment gaps, requiring manual intervention.

📚 Source: Zero Day Initiative

2. Verizon DBIR 2025: Known-Vulnerability Exploitation Surges 34%, Nearly Tops Credential Theft

The latest Verizon Data Breach Investigations Report reveals that 20% of breaches now stem from known vulnerability exploitation a 34% spike in known vulnerability exploitation, now accounting for 1 in 5 breaches. Third-party involvement in breaches also doubled to 30%.

🧠 Insight: Attackers are moving faster than enterprise patch cycles. The next frontier? Weaponized supply chain lag.

Why It Matters: This trend puts renewed pressure on patch and asset-management vendors as cloud environments with complex third-party integrations face escalating risk. Attackers are exploiting unpatched software faster than organizational patch cycles, creating immediate urgency for automated vulnerability management and comprehensive third-party risk assessment programs.

3. AWS GuardDuty Rolls Out RDS Protection for Aurora Limitless & Expands S3 Malware Scans

AWS quietly rolled out RDS Protection to Aurora PostgreSQL Limitless, which now gets GuardDuty integration out of the box for existing users. Database, automatically enabling monitoring for existing users and offering 30-day free trials for new adopters. This signals AWS's push into comprehensive data-layer threat detection.

🧠 Insight: With petabytes of data and millions of writes per second, Aurora Limitless becomes an obvious next target. GuardDuty's native inclusion reflects AWS’s shift to "secure-by-default."

Why It Matters: This expansion demonstrates AWS's commitment to defense-in-depth strategies across their entire database portfolio. Aurora Limitless Database can handle millions of write transactions per second and petabytes of data, making security monitoring critical for large-scale deployments. The automatic enablement shows AWS's confidence in the technology and represents a shift toward security-by-default.

CLOUD SECURITY TOPIC OF THE WEEK

Lessons from Booking.com's 2M+ Secrets at Scale

Booking.com runs 2M+ secrets with 400K+ reqs/min. Dan Popescu explains why cloud-native solutions like AWS Secrets Manager become unscalable technically and financially: “You’ll end up paying a lot. There’s no cloud-native tool that can span bare metal, AWS, GCP seamlessly.”

Other highlights from the conversation included - Breaking Point: Cloud-Native ≠ Enterprise Scale, Bare Metal Meets Multi-Cloud: Identity is the Bridge, Dynamic Secrets = Dev Problem & finally - Economics: Cloud-Native Gets Expensive, Fast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

  • Dynamic vs. Static Secrets: Dynamic secrets are generated on-demand with short TTLs (time-to-live) and automatically rotated, while static secrets remain unchanged until manually rotated. Dynamic secrets provide enhanced security through regular rotation but require application-level refresh mechanisms.

  • HashiCorp Vault: An open-source secrets management tool that provides a unified interface for securing, storing, and tightly controlling access to tokens, passwords, certificates, and encryption keys across diverse infrastructure environments.

  • Secret Engines: Vault components that store, generate, or encrypt data. Examples include AWS secrets engine for generating AWS credentials, PKI engine for certificate management, and database engines for dynamic database credentials.

  • Adjacent Network Attack: A security vulnerability exploitable by attackers who have access to the same network segment as the target, typically through lateral movement after initial network compromise.

This week's issue is sponsored by Varonis.

Redefining Data Security Strategies for a Gen AI World

AI is transforming how we work — but is your data security keeping up?

Learn from our data security experts to better understand the AI risk landscape, how to protect your data without slowing down company progress, and better yet - how to use AI to your advantage for even better data protection.

Sign up today for our free session and get access to a free Generative AI risk assessment when you attend. 

💡Our Insights from this Practitioner 🔍

1- The Breaking Point: When Cloud-Native Secrets Management Fails at Scale

Booking.com's experience reveals a critical threshold where cloud-native solutions become cost-prohibitive and functionally inadequate. Dan Popescu shares their stark reality: "To give you a sense of scale, we have involved more than 2 million secrets... I think four to 500,000 requests a minute, you will end up paying a lot."

This scale exposes fundamental limitations of cloud-native approaches beyond just cost. The challenge extends to cross-cloud connectivity: "There's not a cloud native tool that you can use that facilitates access from bare metal to AWS to GCP." For enterprises managing hybrid environments, this limitation becomes a deal-breaker requiring cloud-agnostic solutions.

Strategic Implication: Organizations should establish scale thresholds in their architecture decisions. While cloud-native solutions excel for single-cloud, moderate-scale deployments, enterprises managing multi-cloud or hybrid environments above certain volume thresholds need to evaluate cloud-agnostic alternatives early in their scaling journey.

2- The Hybrid Reality: Bridging Bare Metal and Multi-Cloud Environments

Modern enterprises rarely exist in pure cloud environments. Booking.com's hybrid architecture demonstrates the complexity of managing secrets across disparate infrastructure types. Dan explains the bridging challenge: "Vault somehow sits right in the middle because there's no kind of direct native integration between all these cloud providers and our bare metals. So Vault deals with basically it's a broker for authentication and authorization."

The bare metal integration challenge requires establishing machine identity without cloud-native IAM. This involves custom metadata provisioning during machine bootstrap and integration with configuration management tools like Puppet, Ansible, or Chef. The key insight is that bare metal machines need identity establishment before configuration management tools can function, creating a bootstrapping challenge.

Implementation Strategy: For hybrid environments, establish a standardized identity and authentication layer that works across all infrastructure types. This often requires deploying a secrets management solution that can authenticate both cloud instances (using native IAM) and bare metal machines (using custom metadata and certificates) through a unified interface.

3- Dynamic Secrets: The Application Architecture Challenge

The transition from static to dynamic secrets represents a fundamental shift in application architecture. Dan identifies the core challenge: "With static secrets you keep it four years, then you never care. So I think that's the biggest challenge... you need to have a refresh mechanism."

This transition requires applications to implement:

  • Local caching layers for connectivity resilience

  • File system event watching for secret updates

  • API polling mechanisms for secret refresh

  • Graceful handling of secret rotation during active operations

For organizations with diverse application stacks (Python, Java, Perl), this means either implementing refresh mechanisms in each application or building a local API layer that handles secret lifecycle management transparently.

Architectural Decision: Consider implementing a local secrets API that abstracts the complexity from applications. This approach allows applications to make simple API calls while the local service handles vault integration, caching, and refresh logic reducing the burden on development teams while maintaining security.

4- Cost-Benefit Analysis: Enterprise vs. Cloud-Native Approaches

The economic reality of secrets management at scale often drives architectural decisions. While cloud-native solutions provide convenience and integration, enterprise solutions offer better economics for high-volume scenarios. Dan notes: "Because we have such a large infrastructure, I guess teams do not really care how much, how many secrets do they store because we are. The licensing costs aren't on the number of secrets... or the number of requests."

This economic model difference is crucial for growing organizations. Cloud-native services typically charge per secret stored and per request, while enterprise solutions often use flat licensing or usage-based models that become more economical at scale.

Strategic Guidance: Evaluate your secrets management economics based on projected scale. For organizations anticipating significant growth, model the cost curves of both approaches to identify the breakeven point where enterprise solutions become more economical than cloud-native alternatives.

5- Machine Identity in Hybrid Environments

Managing machine identity across hybrid environments requires different approaches for different infrastructure types. For cloud instances, native IAM provides machine identity, but bare metal requires custom solutions. Dan explains their approach: "Usually not. It should have some sort of token or something that identifies it... But yeah, it should have a different kind of, because most of the times... machines usually read... And then humans write."

The pattern they've established separates machine and human access patterns, with machines typically having read-only access and humans having write permissions. This separation enables different security models and audit trails for different access types.

Implementation Pattern: Design your secrets access patterns around the principle that machines primarily consume secrets while humans primarily manage them. This separation enables different authentication flows, permission models, and audit requirements for each access type.

Question for you? (Reply to this email)

What would you start first with when building Secret Management in Cloud Environment?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast