Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Target Trend
Summary
Hide ▲
Show ▼
Threat actors targeting Google Cloud environments shifted in H2 2025 from credential abuse to unpatched third-party vulnerabilities, materially changing initial-access risk across cloud workloads. Third-party software-based entry rose to 44.5% of primary vectors, up sharply from 2.9% in H1 2025. The trend shows attackers are reaching cloud services faster through exposed software than through weak accounts. It also compresses defender response time because newly disclosed flaws can be exploited within days.
Related Happenings
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
Vulnerability
First: 10.03.2026 15:20
Last: 10.03.2026 15:20
Sources 1
About this happening:
Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
VulnerabilityAbout this happening: Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
How related:
For example, Google Cloud noted that within just 48 hours of the public disclosure of React2Shell in December 2025, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware.
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveHow related: For example, Google Cloud noted that within just 48 hours of the public disclosure of React2Shell in December 2025, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware.
About this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
UNC4899 cryptocurrency cloud compromise campaign
Campaign
First: 09.03.2026 16:50
Last: 09.03.2026 16:50
Sources 1
About this happening:
The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...
UNC4899 cryptocurrency cloud compromise campaign
CampaignAbout this happening: The **UNC4899** campaign against a **cryptocurrency organization** in **2025** escalated into a **cloud compromise** that enabled theft of **millions of dollars** in digital asset...
Timeline
-
10.03.2026 17:30 2 articles · 2mo ago
Google Cloud reports a shift from credentials to third-party vulnerabilities
Technical Analysis UpdateGoogle Cloud says threat actors targeting Google Cloud environments increasingly used unpatched third-party vulnerabilities in the second half of 2025 instead of weak or missing credentials, with third-party software-based entry reaching 44.5% of primary vectors and weak or absent credentials falling to 27.2%. The report also says the window between vulnerability disclosure and mass exploitation shrank from weeks to days, and that React2Shell in React Server Components was exploited within 48 hours of public disclosure to infect victims with cryptocurrency mining malware.
Show sources
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds — www.infosecurity-magazine.com — 10.03.2026 17:30
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds — www.infosecurity-magazine.com — 10.03.2026 17:30