Tencent Cloud’s open-source-linked leak exposed credentials and code, raising global security concerns over weak safeguards in enterprise cloud environments.
Severe misconfigurations on two Tencent Cloud sites exposed sensitive credentials and internal source code, raising alarms about open source security risks in enterprise cloud environments.
Cybernews researchers discovered the flaws on July 23, 2025, reporting them a day later. Tencent acknowledged the issue as a ‘known problem’ and closed access before August 25, 2025, with public disclosure following on August 27, 2025. The exposed data had been accessible since at least April 2025, leaving months of risk.
The files included environment variables with hardcoded administrative console passwords, a .git directory containing project history and source code, and root console credentials. One affected service was linked to Tencent’s internal load balancer, while another subdomain hosted Jeecg, an open source development platform promoted by Tencent Cloud. The weak passwords, based on the company name, year, and symbols, further heightened the risk of compromise.
“If found by a malicious actor, these credentials could allow full access to backend infrastructure or internal services within Tencent Cloud,” Cybernews researchers warned. They added: “It opens up the whole trove of ways to exploit access like that.”
Experts said attackers could have gained full administrative access to production systems, tampered with APIs, attached malicious payloads to trusted front-end code, pivoted into Tencent’s internal infrastructure, or abused the domain for phishing campaigns.
“When the stakes involve cloud consoles, source code, and root access, there’s no such thing as a small leak. Tencent Cloud is a reputable and technically advanced platform, yet no one is immune to even basic operational oversights,” researchers noted.
The case highlights the wider supply chain risks of open source adoption in enterprise cloud services. As the exposed Jeecg deployment shows, even minor misconfigurations can escalate into systemic vulnerabilities, affecting millions of downstream users who rely on Tencent Cloud for gaming, finance, communication, and enterprise applications.
