Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources.
In its semi-annual “Cloud Threat Horizons Report,” Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, “software-based entry,” which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report.
The shift is likely due to the company’s focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security adviser in the Office of the CISO at Google Cloud.
“As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths,” she says. “It isn’t necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party user-managed software running on top of the cloud rather than the cloud infrastructure itself.”
Outside of Google’s cloud environments, however, attackers continued to focus on identity and credential weaknesses, with 83% of the initial-access vectors in platform-agnostic incidents investigated by Google Mandiant chalked up to identity. Nearly a third of such attacks came from phishing, a fifth due to compromised trust relationships with third parties, a fifth due to stolen credentials, and a tenth from malicious insiders and software supply-chain attacks, according to the Google report. The remaining 17% non-identity-related attacks included misconfiguration and software exploitation.
Cybersecurity firm Palo Alto Networks found a similar focus, with two-thirds of initial access (65%) tied to identity in some way, according to the firm’s “Global Incident Response Report 2026.”
“As organizations move deeper into SaaS, cloud and hybrid environments, the network perimeter matters less,” the Palo Alto Networks’ report stated. “Identity — the linkage between users, machines, services and data — has become the practical perimeter.”
Fix Identity and Attackers Focus Elsewhere
In cases where defenders have done a good job at focusing on credential abuse and misconfiguration, it’s not surprising that cyberattackers have changed their focus, says Saumitra Das, vice president of engineering at Qualys.
Exploitation has become easier because of AI-driven vulnerability analysis, penetration testing, and exploit development, he says.
“Attackers adapted and increasingly shifted toward exploiting unpatched software,” Das says. “That transition has been accelerated by AI-assisted exploitation tools and the near-instant weaponization of newly disclosed CVEs.”
More than 44% of attacker activity on Google Cloud targeted software vulnerabilities and remote code execution. Source: Google Cloud
The shared responsibility model for cloud security means that both partners — the cloud provider and the customer — must keep up their side of the cybersecurity bargain. Unfortunately, all cloud architectures have identity weak points that, if not managed correctly, could be exploited, says Keith Lunden, a manager with the Google Threat Intelligence Group.
“We anticipate that threat actors will continue to find and exploit these gaps while evolving their methods through the use of AI,” he says.
These gaps in security means that most vulnerability exploitation in the cloud tends to focus on infrastructure-as-a-service (IaaS) rather than platform-as-a-service (PaaS), because the greater responsibility for securing infrastructure falls to the customer, not the hyperscaler service, says Das.
“Edge devices are naturally the first to be exploited, as well as publicly exposed assets such as virtual machines, containers, and serverless,” he says.
AI Means Time Grows Short for Patching Bugs
Attackers’ adoption of AI services is a major reason for shifts in the threat landscape. LLMs allow less technically adept attackers to vibe code well-crafted reconnaissance and exploitation frameworks, resulting in more attackers who can perform somewhat sophisticated attacks, says Das.
“In the past, defenders often had more time to respond to a vulnerability,” he says. “Today, the response window has shrunk to hours — yet most patch management processes were never designed to operate at that speed.”
For that reason, companies need to take a more aggressive approach to patching. Companies should virtually patch vulnerabilities within 24 hours of a public report, and fully remediate the issue within 72 hours, says Lister.
“Defenders should replace manual processes with identity-centric proxies and automated posture enforcement,” she says, adding that Google Cloud’s Organization Policy services could be used to programmatically block overly permissive firewall rules from ever being created, for example.
“In a world where exploitation is measured in hours,” she says, “our defenses must be as automated as the attacks.”
