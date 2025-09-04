Researchers uncovered serious misconfigurations on two Tencent Cloud subdomains that exposed plain-text administrative credentials, internal source code, and other sensitive files, raising concerns of potential large-scale exploitation, Cybernews reports

The vulnerabilities, first detected on July 23, 2025, reportedly provided root-level access to Tencent 's administrative console and backend services, with researchers warning that attackers could have hijacked infrastructure, tampered with APIs, or launched phishing campaigns under Tencent's trusted domain.

Cybernews said the exposed files, including weak passwords and a .git directory, had been publicly accessible for months. One affected service tied back to Tencent’s internal load balancer, while another involved the JEECG development platform promoted by Tencent Cloud.

Although the flaws were quickly reported and access closed, researchers cautioned that prolonged exposure left time for scraping bots or malicious actors to harvest data. Tencent later downplayed the findings, stating the system was an intentional "honeypot" security test, stressing that "no user data was exposed" and operations remained unaffected.