Google Cloud environment entry vectors shift from credentials to third-party vulnerabilities in H2 2025
Trend
Summary
Hide ▲
Show ▼
Threat actors targeting Google Cloud environments shifted in H2 2025 from credential abuse to unpatched third-party vulnerabilities, materially changing initial-access risk across cloud workloads. Third-party software-based entry rose to 44.5% of primary vectors, up sharply from 2.9% in H1 2025. The trend shows attackers are reaching cloud services faster through exposed software than through weak accounts. It also compresses defender response time because newly disclosed flaws can be exploited within days.
Related Happenings
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
Vulnerability
H score1
First: 16.06.2026 22:05
Last: 16.06.2026 22:05
Sources 1
About this happening:
**Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Vertex AI SDK Python predictable bucket squatting security flaw
VulnerabilityAbout this happening: **Google Cloud Vertex AI SDK for Python** had a **predictable temporary bucket** flaw that let an attacker hijack model uploads and reach **code execution** inside Google's servin...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
Vulnerability
H score3
First: 10.03.2026 15:20
Last: 10.03.2026 15:20
Sources 1
About this happening:
Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Google Looker Studio cross-tenant SQL injection flaws SQL injection flaw
VulnerabilityAbout this happening: Researchers disclosed **nine cross-tenant vulnerabilities** in **Google Looker Studio** that could let attackers run **arbitrary SQL queries** on victims' databases and exfiltrate...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
H score37
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
How related:
For example, Google Cloud noted that within just 48 hours of the public disclosure of React2Shell in December 2025, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware.
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveHow related: For example, Google Cloud noted that within just 48 hours of the public disclosure of React2Shell in December 2025, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware.
About this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Timeline
-
10.03.2026 17:30 2 articles · 4mo ago
Google Cloud reports a shift from credentials to third-party vulnerabilities
Technical Analysis UpdateGoogle Cloud says threat actors targeting Google Cloud environments increasingly used unpatched third-party vulnerabilities in the second half of 2025 instead of weak or missing credentials, with third-party software-based entry reaching 44.5% of primary vectors and weak or absent credentials falling to 27.2%. The report also says the window between vulnerability disclosure and mass exploitation shrank from weeks to days, and that React2Shell in React Server Components was exploited within 48 hours of public disclosure to infect victims with cryptocurrency mining malware.
Show sources
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds — www.infosecurity-magazine.com — 10.03.2026 17:30
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds — www.infosecurity-magazine.com — 10.03.2026 17:30