Security researchers have uncovered over 336,000 exposed Prometheus monitoring servers and data collectors ("exporters") that are leaking sensitive information and vulnerable to cyber attacks.
The widespread exposure affects organizations using the popular open-source Prometheus software for monitoring application and cloud infrastructure performance. Researchers from Aqua Nautilus identified more than 40,000 exposed Prometheus servers and 296,000 exposed exporters accessible on the public internet.
The investigation revealed that these exposed instances are leaking plaintext passwords, authentication tokens, and internal API addresses that could enable malicious actors to launch attacks. In one example, researchers found an unauthenticated Prometheus instance belonging to Skoda Auto that exposed company subdomains and Docker registry information.
Beyond data exposure, the researchers demonstrated how attackers could exploit default debugging endpoints to execute denial-of-service (DoS) attacks. In testing, they successfully crashed Amazon Web Services EC2 instances and Kubernetes pods by overloading these endpoints.
The research also highlighted a "repojacking" vulnerability affecting several Prometheus exporters. This occurs when attackers claim abandoned GitHub usernames and inject malicious code into projects that still reference the old accounts. While Prometheus has addressed the specific cases identified, the broader risk remains across open source projects.
"We think that it's only statistics — it's only information about the health of the system. That's the problem," notes Assaf Morag, director of threat intelligence at Aqua Nautilus, explaining why many organizations may underestimate the security implications.
Organizations using Prometheus can protect themselves by:
- Taking servers and exporters offline from public access
- Adding authentication requirements
- Implementing DoS protection measures
- Regularly monitoring dependencies for suspicious changes
The findings underscore the need for improved security awareness around open source monitoring tools and careful management of public-facing infrastructure components.