• Home
  • cyber
  • Google Cloud: Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials
cyber Vulnerability

Google Cloud: Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials

Mar 10, 2026 2 min read
Google Cloud: Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials

Google Cloud Report Reveals Shift in Cloud Attack Tactics: Vulnerability Exploitation Surges Over Credential Abuse

Google Cloud’s latest Threat Horizons Report for H1 2026 highlights a dramatic shift in how threat actors target cloud environments, with a growing preference for exploiting software vulnerabilities over traditional credential-based attacks. Published on 9 March, the report analyzes attack trends observed in Google Cloud services during the second half of 2025, revealing a 44.5% increase in initial access via third-party vulnerabilities up from just 2.9% in the first half of the year.

In contrast, attacks leveraging weak or missing credentials declined sharply, dropping from 47.1% to 27.2% over the same period. The report attributes this shift to attackers’ increasing speed in weaponizing newly disclosed flaws, with the window between vulnerability disclosure and mass exploitation shrinking from weeks to days.

A standout example is CVE-2025-55182 (React2Shell), a critical remote code execution vulnerability in React Server Components. Within 48 hours of its December 2025 disclosure, threat actors including nation-state groups linked to North Korea and China exploited the flaw to deploy cryptocurrency mining malware. Google Cloud emphasized that while its infrastructure remains secure, attackers are successfully targeting unpatched applications and permissive firewall rules in customer environments.

The report also underscores the need for automated defenses, such as Web Application Firewalls (WAFs), to mitigate risks before patches can be applied. Organizations slow to address vulnerabilities face heightened exposure, as attackers now exploit flaws at scale within days of disclosure.

Source: https://www.infosecurity-magazine.com/news/cloud-attackers-prefer-exploits/

Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud

"id": "GOO1773203263",
"linkid": "google-cloud",
"type": "Vulnerability",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'industry': 'Various',
                        'location': 'Global',
                        'name': 'Google Cloud customers',
                        'type': 'Organizations'}],
 'attack_vector': 'Third-party software vulnerability (CVE-2025-55182 - '
                  'React2Shell)',
 'date_detected': '2025-12-01',
 'date_publicly_disclosed': '2026-03-09',
 'description': 'Google Cloud’s latest Threat Horizons Report for H1 2026 '
                'highlights a dramatic shift in how threat actors target cloud '
                'environments, with a growing preference for exploiting '
                'software vulnerabilities over traditional credential-based '
                'attacks. The report reveals a 44.5% increase in initial '
                'access via third-party vulnerabilities, while attacks '
                'leveraging weak or missing credentials declined sharply. A '
                'standout example is CVE-2025-55182 (React2Shell), exploited '
                'within 48 hours of disclosure by nation-state groups linked '
                'to North Korea and China to deploy cryptocurrency mining '
                'malware.',
 'impact': {'systems_affected': 'Unpatched applications and permissive '
                                'firewall rules in customer cloud '
                                'environments'},
 'investigation_status': 'Completed (report published)',
 'lessons_learned': 'Attackers are increasingly exploiting vulnerabilities at '
                    'scale within days of disclosure, emphasizing the need for '
                    'automated defenses and rapid patch management.',
 'motivation': 'Cryptocurrency mining, potential espionage',
 'post_incident_analysis': {'corrective_actions': 'Automated defenses (WAFs), '
                                                  'rapid patch deployment, '
                                                  'enhanced monitoring',
                            'root_causes': 'Unpatched applications, permissive '
                                           'firewall rules, delayed patch '
                                           'management'},
 'recommendations': 'Implement automated defenses like Web Application '
                    'Firewalls (WAFs), enforce strict patch management, and '
                    'monitor for permissive firewall rules in cloud '
                    'environments.',
 'references': [{'date_accessed': '2026-03-09',
                 'source': 'Google Cloud Threat Horizons Report'}],
 'response': {'adaptive_behavioral_waf': 'Recommended',
              'enhanced_monitoring': 'Recommended',
              'remediation_measures': 'Patch management, automated defenses '
                                      '(e.g., Web Application Firewalls)'},
 'threat_actor': ['North Korea-linked groups', 'China-linked groups'],
 'title': 'Shift in Cloud Attack Tactics: Vulnerability Exploitation Surges '
          'Over Credential Abuse',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.