GOOGLE Cloud has warned that threat actors targeting cloud environments now favour campaigns which gain initial access by exploiting software vulnerabilities over credential-based attacks, in a shift observed in H1 2026 based on the second half of 2025 data.
Published on 9 March, the Google Cloud Threat Horizons Report details how third-party software vulnerabilities accounted for 44.5% of primary entry vectors in the second half of 2025, up from 2.9% in the first half of the year, while weak or absent credentials fell from 47.1% to 27.2%. One commonly exploited vulnerability was CVE-2025-55182, known as React2Shell, a critical remote code execution flaw in React Server Components, linked to cyber-attacks by threat actors associated with North Korea and China.
The report notes that attackers have become quicker at mass exploitation after disclosure, with Google Cloud urging defenders to prioritise automated posture enforcement and centralized visibility over manual patching, including patching the Web Application Firewall at the network edge. It also highlights that within 48 hours of React2Shell’s public disclosure in December 2025, multiple threat actors exploited the flaw to infect victims with cryptocurrency mining malware. According to Google Cloud.