IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Mandiant warns on exposed Cloud Run serverless apps

Mandiant warns on exposed Cloud Run serverless apps

Thu, 16th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Google Cloud's Mandiant unit has outlined hardening measures for publicly exposed serverless applications on Cloud Run and related functions. The guidance focuses on how attackers can exploit weakly protected deployments to gain broader access within cloud environments.

The analysis centres on serverless applications that remain accessible from the public internet, often for business reasons, and warns that flaws in custom code or third-party packages can give attackers an opening. Common attack paths include local and remote file inclusion and command injection, which can lead to control of the underlying container instance.

That initial compromise can provide a path into other parts of a cloud estate. The report says attackers who exploit a vulnerable function often search for hardcoded secrets, inspect application logic for additional weaknesses and try to retrieve service account bearer tokens from the metadata service after achieving remote code execution.

One scenario involves a Python and Flask function that accepts user input and opens a file without validating the request. In that example, an attacker can request application source code or use directory traversal to retrieve files such as /etc/passwd, environment files, dependency manifests and logs.

Those files can reveal API keys, credentials, service endpoints and software versions. Such information can help an attacker identify known vulnerabilities, map internal architecture and find additional paths to sensitive systems.

A second scenario focuses on command injection. In the example, a Python function passes unsanitised user input to a shell execution method, allowing an attacker to run arbitrary commands and query Google Cloud metadata services for an OAuth 2.0 bearer token tied to the service account.

If that token belongs to a broadly privileged account, the consequences can be severe. A Cloud Run service using the default Compute Service Account with Editor permissions could give an attacker the equivalent of full project control, including the ability to read, write or delete resources, access secrets and keys, exfiltrate data and establish persistence.

Security controls

Mandiant urges organisations to address the risk through both development practices and runtime controls. It recommends a Secure Software Development Lifecycle that includes security scanning, code review, least-privilege identity and access management in CI/CD pipelines, and continuous security testing.

The guidance also addresses AI-generated software, which it describes as "vibe coding". It recommends isolating AI experimentation in sandbox environments, limiting data egress, restricting development to approved tools and verified plugins, and applying the same security controls to AI-assisted code.

For runtime defences, the document advises organisations to isolate public-facing Cloud Run services in a dedicated Google Cloud project rather than placing them alongside sensitive internal systems. That separation is meant to reduce the chance that a single exploited function becomes a direct bridge to critical resources.

It also recommends using custom service accounts instead of default compute accounts and granting only narrowly defined permissions. Examples include restricting Cloud Storage access to a specific bucket and limiting Secret Manager access to only the secrets a service needs.

Traffic filtering

Another recommendation is to restrict serverless ingress to internal traffic and place an external Layer 7 Application Load Balancer in front of internet-facing services. According to the analysis, that model provides greater control over headers and SSL policies, adds rate limiting and request controls, improves logging, and supports identity-based access policies where needed.

Within that setup, Cloud Armour is presented as a web application firewall layer that can block common local file inclusion and remote code execution attempts. The guidance includes examples of preconfigured rules designed to stop path traversal requests and attempts to extract metadata service tokens, returning a 403 Forbidden response when matched.

The report also notes that architecture-level controls matter beyond the application itself. For deployments using direct VPC egress or VPC Access connectors, it recommends VPC Service Controls to limit lateral movement and data exfiltration through more granular policies.

Google Cloud also pointed to Security Command Centre as a way to detect control plane attacks against Cloud Run resources. The service includes detectors for credential access, reconnaissance, and the execution of scripts or reverse shells on supported service tiers.

The broader message is that serverless adoption is spreading across eCommerce, media, payments and AI workloads, widening the attack surface for exposed functions. Robust code validation and continuous security testing remain essential to stop threats before serverless functions are published externally.