A interesting analyze of a intrusion capability, that seems to use the wrong conclusion:<p>> What is really important (and documented)6 is that this registration does not persist across reboots of the portainer agent. This effectively means that a portainer agent with its port 9001 exposed may be taken over after a reboot if an attacker connects before the legitimate Portainer server.<p>What the documentation really states:<p>> For security reasons, the Edge server UI will shutdown after 15 minutes if no key has been specified. The agent will require a restart in order to access the Edge UI again.<p>In other words, if a user installs the Edge Agent and does not connect to it, it will shutdown after 15 minutes. And if a serve or the docker agent restarts, it will again be exposed for 15 minutes.<p>In non-agent mode, the agent will use a digital signature or secret for communication.<p>If it was registered, it does not lose its persistent registration on a reboot (of the portainer agent). Author seems to have mixed up a few things.<p>Yes, if you install the portainer agent and never register it, its exposed for a while and IF you reboot your server/docker agent, it will again be exposed (for a while). But its not exposed if properly registered and rebooted server/agent.<p>For the rest, interesting article over the infection.