Critical RCE in Pyroscope's Tencent COS Backend

/CRITICAL
SCW vulnerabilitycvecriticalhigh-severity
Critical RCE in Pyroscope's Tencent COS Backend

A critical vulnerability, tracked as CVE-2025-41118, has been identified in Pyroscope, an open-source continuous profiling database. According to the National Vulnerability Database, this flaw carries a CVSS score of 9.1, classifying it as critical.

The vulnerability surfaces when Pyroscope is configured to use Tencent Cloud Object Storage (COS) as its storage backend. An attacker with direct access to the Pyroscope API could exploit this weakness to extract the secret_key configuration value. While direct API access is a prerequisite, it underscores the importance of stringent network segmentation and access controls for database instances.

Patches are available across several Pyroscope release lines. Users on the 1.15.x branch should upgrade to version 1.15.2 or higher. For those on 1.16.x, version 1.16.1 and above address the issue. All versions in the 1.17.x series are already patched. The National Vulnerability Database credits Théo Cusnir for reporting this vulnerability via a bug bounty program.

Related ATT&CK Techniques

T1078.004 Cloud Accounts Persistence T1537 Cloud Storage Defense Evasion T1040 Network Sniffing Credential Access

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1078.004 Initial Access

Credential Abuse from Breached Vendor — CVE-2025-41118

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2025-41118 Information Disclosure Pyroscope database configured with Tencent COS storage backend
CVE-2025-41118 Information Disclosure Pyroscope API secret_key extraction
CVE-2025-41118 Misconfiguration Pyroscope versions < 1.15.2, < 1.16.1, < 1.17.0

By Shimi's Cyber World Editorial

Related Posts

ArgoCD Image Updater Flaw Bypasses Namespace Boundaries

CVE-2026-6388 — A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-1220
/CRITICAL /⚑ 3 IOCs

CVE-2026-40500 — The Admin Panel'S 'Add Module From URL' Feature That Server-Side Request Forgery

CVE-2026-40500 — ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows...

vulnerabilityCVEserver-side-request-forgerycwe-918
/MEDIUM /⚑ 2 IOCs

Composer Command Injection: Malicious Repositories are a New Vector

CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...

vulnerabilityCVEhigh-severitycommand-injectioncwe-20cwe-78
/HIGH /⚑ 5 IOCs