Third-Party Vulnerabilities Now Lead Cloud Intrusions, Google Report Finds
Targeting Unpatched Software Flaws, Including the Critical Remote Code Execution Vulnerability in React Server Components Known as React2Shell

Third-party software vulnerabilities have overtaken weak credentials as the leading cause of cloud intrusions, according to the latest Cloud Threat Horizons Report released by Google Cloud Security.
The report, which analysed attacks during the second half of 2025, found a significant shift in how threat actors break into cloud environments. For the first time, attackers exploited unpatched third-party vulnerabilities more frequently than weak credentials as their initial access point.
In H2 2025, third-party vulnerabilities accounted for 44.5% of initial access incidents, a sharp jump from just 2.9% recorded in the first half of the year. Meanwhile, intrusions involving weak or absent credentials dropped from 47.1% in H1 2025 to 27.2% in H2 2025. Initial access through misconfiguration also declined, falling from 29.4% of incidents to 21%.
Vulnerabilities Most Exploited
Researchers from the Google Threat Intelligence Group (GTIG) said attackers increasingly targeted unpatched software flaws, including a critical remote code execution vulnerability in React Server Components widely known as React2Shell.
The report also highlights how quickly attackers are now exploiting newly disclosed vulnerabilities. The window between disclosure and mass exploitation has shrunk dramatically—from weeks to just days.
In one case, GTIG observed threat actors deploying the XMRig cryptocurrency miner within roughly 48 hours after the public disclosure of CVE-2025-55182.
Watch Those Identities—and Everything Else
Identity-based attacks also remained a major factor in cloud breaches. Identity compromise played a role in 83% of observed incidents, while data theft was the primary objective in 73% of cloud-related attacks.
Threat actors are also shifting tactics in social engineering. Traditional phishing campaigns are increasingly being supplemented—or replaced—by voice-based scams. Voice phishing, or vishing, appeared in 17% of cases analysed in the report.
The report also noted growing risks from malicious insiders. While email and USB devices have historically been common methods for exfiltrating sensitive information, insiders are now increasingly using cloud storage services to steal data. In 35% of cases involving insider data theft, attackers used multiple exfiltration paths such as email combined with cloud storage or USB devices paired with cloud services.
State-linked actors also remain active in cloud-focused attacks. GTIG observed a threat campaign believed to be linked to the North Korean group UNC4899, which used living-off-the-cloud techniques and legitimate orchestration tools to conceal malicious activity.
In that incident, the group tricked a developer into downloading a malicious archive file. After the victim transferred the file from a personal device to a corporate workstation, the attackers pivoted into the organisation’s Google Cloud environment. They then modified Kubernetes deployment configurations and obtained a high-privilege CI/CD service account token, allowing them to escalate privileges and ultimately withdraw several million dollars in cryptocurrency.
Cybercriminals Eyeing Supply Chains, Too
The report also documented emerging AI-assisted supply chain attacks. In one case, attackers used large language models to automate credential harvesting and quickly escalate access from a developer’s local environment to full cloud administrative control in less than 72 hours.
The attack began with a compromised Node Package Manager package called QUIETVAULT, which stole a developer’s GitHub token. The threat actor, identified as UNC6426, then exploited OpenID Connect trust between GitHub and a cloud platform to create a new administrator role.
Using that access, the attackers exfiltrated files from Amazon Web Services Simple Storage Service buckets and carried out destructive actions in production cloud environments.
According to the report, the accelerating pace of cloud attacks means traditional patch cycles are no longer sufficient, pushing organisations towards more automated and rapid remediation strategies.



