The Shadowserver Foundation has started scanning the internet for Kubernetes API servers and found roughly 380,000 that allow some form of access.
ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an HTTP 200 OK status, which indicates that the request has succeeded.
Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK”. This does not mean these servers are fully open or vulnerable to attacks, but Shadowserver believes they represent an “unnecessarily exposed attack surface” and this level of access was likely not intended.
More than half of the exposed instances are located in the United States, with many also seen in Western Europe, Southeast Asia, and Australia.
The scans conducted by Shadowserver also show the Kubernetes version (1.17 through 1.22 are the most popular) and the platform (Linux/amd64 accounts for a vast majority of exposed instances).
The nonprofit cybersecurity organization says subscribers will get free data on the accessible Kubernetes instances in their network. Users who are notified about open instances have been advised to read the official guide on securing access to the Kubernetes API.
Shadowserver recently also started conducting daily internet scans to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.
Related: Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes
Related: New CISA and NSA Guidance Details Steps to Harden Kubernetes Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
