Not entirely sure, but my best guess is that the previous DevOps engineer was running a PostgreSQL 14 instance exposed to the internet with the password set to postgres. There's even an old CVE describing a remote code execution path for that kind of setup. Unfortunately, the PostgreSQL logs had been deleted, so I was never able to confirm it.
Any idea how it got there in the first place?
Not entirely sure, but my best guess is that the previous DevOps engineer was running a PostgreSQL 14 instance exposed to the internet with the password set to postgres. There's even an old CVE describing a remote code execution path for that kind of setup. Unfortunately, the PostgreSQL logs had been deleted, so I was never able to confirm it.