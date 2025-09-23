Researchers from Vrije Universiteit Amsterdam have shown that long-standing CPU flaws can still be exploited to steal sensitive data from public cloud environments, despite existing defenses, SecurityWeek reports.The team combined L1 Terminal Fault, also known as Foreshadow, with a variant of Spectre once thought unexploitable on modern processors, to develop "L1TF Reloaded," an attack capable of bypassing current mitigations.By chaining these vulnerabilities, the academics successfully leaked data across virtual machines on Google Cloud, including the TLS key of an Nginx server in about 14 hours.They noted that cloud providers effectively offer "remote code execution as a service," making such attacks more feasible. While similar tests against AWS yielded only non-sensitive information, Google awarded the researchers $151,515, their top bug bounty payout, for exposing the risk. The findings underscore that addressing transient execution flaws individually is insufficient and call for stronger approaches such as address space isolation or secret-free hypervisors.
Researchers expose new cloud CPU attack
