If your engineering or DevOps teams ran KICS scans using affected versions, attackers likely hold copies of your cloud infrastructure credentials and API keys — giving them the ability to access, modify, or destroy cloud-hosted systems, data, and services without additional authentication. A credential compromise of this type can result in unauthorized data access triggering breach notification obligations under GDPR, CCPA, or sector-specific regulations, direct financial loss from cloud resource abuse, and significant operational disruption if attackers leverage stolen credentials to alter or disable infrastructure. Reputational damage escalates if customer data is exposed through compromised cloud environments.
You Are Affected If
You pulled or ran KICS Docker image tags checkmarx/kics:v2.1.20, checkmarx/kics:alpine, or checkmarx/kics:v2.1.21 in any CI/CD pipeline or local environment
You have Checkmarx KICS VS Code Extension version 1.17.0 or 1.19.0 installed on developer workstations used to scan IaC files containing secrets
Your Terraform, CloudFormation, or Kubernetes IaC files contain embedded cloud credentials, API keys, or secrets (rather than referencing a secrets manager)
Your CI/CD pipeline agents running KICS have network egress to the internet without strict allowlist-based outbound controls
You did not pin KICS Docker images by digest and relied on mutable tags, leaving your pipeline vulnerable to tag-overwrite supply chain attacks
Board Talking Points
Attackers compromised a widely used infrastructure security scanning tool and used it to steal the cloud credentials it was scanning — the security tool itself became the attack vector.
Any team using the affected tool versions should rotate all cloud access credentials immediately and audit cloud environments for unauthorized activity within the next 24 hours.
Organizations that do not act immediately risk attackers leveraging stolen credentials to access or destroy cloud infrastructure, potentially triggering regulatory breach notifications and significant operational disruption.
GDPR — if cloud environments accessed via stolen credentials store personal data of EU residents, unauthorized access constitutes a reportable breach under Article 33
CCPA — if compromised cloud infrastructure contains California resident personal information, credential theft may trigger breach disclosure obligations
PCI-DSS — if IaC files scanned by affected KICS versions reference or contain credentials for systems in the cardholder data environment, those credentials must be treated as compromised and incident response procedures initiated
