Abuse of Apache APISIX: Misconfigurations in the wild
Report summary
During an assessment of exposed cloud-native environments, Atos TRC identified compromise activity targeting Apache APISIX¹ API gateway deployments backed by internet-exposed etcd configuration stores. The observed activity involved unauthenticated write access to etcd on port 2379, allowing malicious APISIX configuration to be inserted directly into the gateway control plane.
Atos TRC identified two distinct activity clusters operating on the same infrastructure, each leveraging the same root cause. One cluster deployed an XMRig cryptocurrency miner through a Pastebin-hosted dropper, while another established remote access using a MeshCentral agent as a Remote Monitoring and Management (RMM) tool. The distinction between these clusters is based primarily on differences in modus operandi, tooling, and apparent objectives, and should be treated as a low-confidence analytical hypothesis rather than confirmed actor attribution.
The observed activity abused APISIX’s serverless-pre-function plugin to inject malicious Lua code into the HTTP request lifecycle, enabling command execution from the APISIX runtime environment without requiring APISIX Admin API access. Impact depends on deployment context, including whether APISIX runs on bare metal or inside a container.
Although such misconfigurations are unlikely in hardened production environments, a Censys² exposure query returned hundreds of internet-facing results. These exposures should be interpreted as indicators of potentially non-hardened APISIX-adjacent deployments. Even where systems are non-production or otherwise lower-tier, they may still represent meaningful risk if attackers use them for persistence, environment discovery, or potential pivoting toward more sensitive infrastructure.
This article details the technical findings of Apache APISIX misconfiguration abuse.
Read the full research here.
¹ apisix.apache.org (visited June 25th, 2026)
² search.censys.io (visited June 12th, 2026)
Posted on: June 29, 2026
![]()
Georges Pisant
Adversary Researcher


