Critical cloud‑infra flaws flagged

A flaw in etcd, the data store behind many distributed systems, can let unauthorized users call sensitive cluster functions if its gRPC interface is exposed. (nvd.nist.gov) etcd is the database that keeps state for systems such as Kubernetes, including which nodes exist and what data has changed. In CVE-2026-33413, affected etcd versions before 3.4.42, 3.5.28 and 3.6.9 can let unauthenticated or underprivileged users bypass checks on some application programming interface calls. (github.com) The exposed functions include MemberList, which reveals cluster topology, Alarm, which can be abused for denial of service, Lease functions, which can interfere with time-limited keys, and compaction, which can erase historical revisions used for watches and recovery. The National Vulnerability Database lists the issue as high severity with a Common Vulnerability Scoring System 3.1 score of 8.8. (nvd.nist.gov) Typical Kubernetes setups are not the main blast zone because Kubernetes usually does not depend on etcd’s own login and permission system. The etcd project and the National Vulnerability Database both say the Kubernetes application programming interface server normally handles authentication and authorization itself. (github.com) The immediate risk is for operators that expose etcd’s gRPC port to untrusted or partly trusted clients, especially outside the narrow set of components meant to talk to it. The published workaround is to lock down network access to etcd ports and require mutual transport layer security, or mTLS, with tightly controlled client certificates until upgrades are complete. (nvd.nist.gov) A separate investigation published April 14 traced a cloud credential theft campaign to a China-linked group known as APT41, also called Winnti, Wicked Panda, Barium, Silver Dragon and Brass Typhoon. Researchers said the group used a Linux Executable and Linkable Format backdoor to steal credentials and metadata from workloads running in Amazon Web Services, Google Cloud, Microsoft Azure and Alibaba Cloud. (csoonline.com) The backdoor used Simple Mail Transfer Protocol, or SMTP, on port 25 for command-and-control traffic instead of the web protocols defenders more often inspect. Dark Reading reported the same campaign on April 13 and said the operators also hid behind typosquatted domains that mimicked Alibaba infrastructure. (darkreading.com) Breakglass Intelligence said the campaign reflects six years of cloud tooling development by APT41, and one report cited three typosquatted domains registered within a 24-hour window on January 20 and 21, 2026. The infrastructure let the malware blend into ordinary cloud traffic while pulling identity and metadata tokens from compromised workloads. (cybersixt.com) The two disclosures point at different weak spots in cloud infrastructure: one is a software access-control bug in a core data service, and the other is an espionage campaign aimed at the credentials workloads use to prove who they are. In both cases, the published guidance centers on reducing exposure, tightening identity controls and patching or rotating secrets before attackers can turn backend access into broader control. (nvd.nist.gov) (csoonline.com)