Remediated vulnerability

BreakingFormation: Vulnerability in AWS CloudFormation

Risk Level

Compromised (1)


Where was this vulnerability found?

CloudFormation is an AWS service that enables you to easily provision AWS resources (such as EC2 instances and S3 buckets) using templates. CloudFormation API calls allow for the dynamic creation and configuration of cloud resources.

BreakingFormation Vulnerability

The Orca Research Pod discovered a zero-day vulnerability that allowed a server within CloudFormation to be compromised, which in turn, could have been used to run as an AWS infrastructure service.

An anomaly in the way that CloudFormation renders templates could be leveraged to trigger an XXE vulnerability, which could have been used to read files and perform HTTP requests on behalf of the server. The server contained multiple service binaries containing AWS server-side logic, as well as configuration files for connecting to internal AWS endpoints and services.

How did Orca help?

Orca Security immediately reported the issue to AWS, which acted quickly to fix it. The AWS security team coded a fix in less than 25 hours, and it reached all AWS regions within 6 days.
Orca Security researchers helped test the fix to ensure that this vulnerability was correctly resolved, and we were able to verify that it could no longer be exploited.

The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.