A new report from Google has identified a significant evolution in the threat landscape targeting cloud environments. The analysis reveals that attackers are now prioritizing the exploitation of software vulnerabilities over the use of stolen or weak credentials as their primary method of initial access. According to Google's findings, incident responders determined that bug exploits were the root cause in 44.5% of investigated cloud intrusions in the latter half of 2025, while credential-based attacks accounted for only 27% of breaches. This marks a notable reversal from previous trends where misconfigured settings and poor credential hygiene were dominant attack vectors.
The most frequently exploited vulnerabilities are those enabling remote code execution (RCE). Specific highlights from the threat landscape include the React2Shell vulnerability (CVE-2025-55182) and an XWiki flaw tracked as CVE-2025-24893, the latter being leveraged in attacks by the RondoDox botnet. Google attributes this strategic shift by threat actors to the broader industry adoption of enhanced security measures. "We assess that this change in behavior from threat actors is potentially due to Google's secure-by-default strategy and enhanced credential protections successfully closing traditional, more easily exploitable paths, raising the barrier to entry," the company stated. As foundational defenses around identity and access management improve, adversaries are pivoting to software flaws.
Compounding the risk is the dramatically shrinking window for defenders to respond. The report notes that the exploitation timeline for newly disclosed vulnerabilities has collapsed from weeks to mere days. Google observed instances of cryptomining malware being deployed into cloud environments within 48 hours of a vulnerability's public disclosure. This rapid weaponization underscores the critical need for organizations to accelerate their patch management and vulnerability remediation cycles to an operational tempo measured in hours, not days, to effectively mitigate risk.
This shift necessitates a corresponding evolution in defense strategies. While robust credential protection, multi-factor authentication (MFA), and configuration hygiene remain essential, they are no longer sufficient on their own. Security teams must now place equal, if not greater, emphasis on continuous vulnerability management, real-time threat intelligence regarding active exploits, and stringent software supply chain security. The modern cloud defense posture must be holistic, integrating identity security with rapid patch deployment and proactive threat hunting to counter adversaries who are agilely switching their tactics to the path of least resistance.
