Google Cloud has warned that threat actors targeting cloud environments now favor campaigns which gain initial access by exploiting software vulnerabilities over credential-based attacks.
Published on 9 March, the Google Cloud Office of the CISO’s H1 2026 Google Cloud Threat Horizons Report, details how the cloud threat landscape evolved based on how attackers attempted to target Google Cloud services during the second half of 2025.
“Our team has observed a fundamental shift in the landscape,” said Crystal Lister, security advisor and head of cloud threat horizons report program for Office of the CISO, at Google Cloud.
Traditionally, threat actors have relied on weak or missing credentials and misconfigurations to gain access to Google Cloud environments.
However, the second half of 2025 saw threat actors increasingly turn towards exploiting unpatched third-party vulnerabilities.
In total, third-party software-based entry accounted for 44.5% of primary entry vectors during the second half of 2025. This represents a significant increase from the 2.9% observed during the first half of the year.
In comparison, abuse of weak or absent credentials as an entry point dropped from 47.1% in the first half of the year, down to 27.2% in the second half.
React2Shell Top Targeted Vulnerability
One of the most commonly software vulnerabilities used to target cloud services was CVE-2025-55182, more commonly known as React2Shell, a critical remote code execution vulnerability in React Server Components.
The vulnerability can enable attackers to take control of servers and compromise data. It has been tied to cyber-attacks by nation-state threat actors linked to both North Korea and China.
“While Google Cloud’s underlying infrastructure remains secure, threat actors are successfully targeting unpatched applications and permissive user-defined firewall rules,” said Google Cloud.
The company also warned that attackers have also got quicker at the mass exploitation of software vulnerabilities following their public disclosure.
“To mitigate these risks across any environment, cloud defenders should focus on identity access controls, using centralized visibility tools to secure data, and automated posture enforcement,” said Google.
According to the report, the window between vulnerability disclosure and mass exploitation collapsed by “an order of magnitude” from weeks to just days. Ultimately, if organizations haven’t patched vulnerabilities within days of the disclosure, then their cloud services are vulnerable to attackers.
For example, Google Cloud noted that within just 48 hours of the public disclosure of React2Shell in December 2025, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware.
Google has issued advice to organizations on what they should do to avoid falling victim to newly disclosed vulnerabilities.
“Defensively, organizations should pivot from manual patching to automated defenses—such as patching the Web Application Firewall (WAF)—to neutralize exploits at the network edge before software updates can be applied,” the company recommended.
