As per the official documentation:

“The Spring Boot developer tools are not just limited to local development. You can also use several features when running applications remotely. Remote support is opt-in, to enable it you need to make sure that devtools is included in the repackaged archive”

Its mentioned that this feature is not enabled by default, However, in order to enable it, developers have to set a secret password for a remote debugging.

The weak secret is mentioned in the official documentation

In the above screenshot, it shows that the secret is very weak. Moreover, looking at the official tutorials from pivotal:

It also shows in the tutorial the usage of the weak secret. Given the fact that Pivotal already warned about enabling this feature on production, would this pose any risk if enabled in other environments?

The answer is yes, developers tend to make use of ‘DevTools’ for debugging reasons, either on their local laptops or on a testing environment. We have seen in many Red Teaming Operations¹ an initial foothold where Red Teamers are eager to get a foothold through any of the low-hanging fruits (i.e. Tomcat, Jenkins, etc. with weak passwords), DevTools can also pose the similar risk since developers are making use of this feature in the internal network of the organization, an attacker would be able to compromise the running instance and gain initial foothold in the network.