Cloud attackers are shifting from stolen credentials to software exploits, Google Cloud says

Attackers targeting cloud environments are now more likely to break in by exploiting software vulnerabilities than by relying on stolen credentials, according to a Google Cloud threat report summarized by Infosecurity Magazine. The report points to a marked rise in exploit-led intrusions, including abuse of a React-related issue Google Cloud refers to as “React2Shell.”

The finding suggests a change in initial access tactics rather than the disappearance of credential theft. Password spraying, phishing, token theft and exposed keys still matter, but Google Cloud says vulnerability exploitation is becoming the preferred route because it can bypass MFA, scale across many targets and deliver code execution quickly on internet-facing systems.

That matters for organizations running public-facing applications, APIs, container platforms and CI/CD services in the cloud. A single unpatched flaw in an exposed service can give attackers a foothold to steal data, deploy cryptominers, move laterally or abuse cloud-native tools for persistence. In practice, this puts more pressure on patching speed, external attack-surface monitoring and prioritizing bugs that are known to be exploited in the wild.

The report also fits a wider industry pattern. CISA’s Known Exploited Vulnerabilities catalog continues to show how quickly newly disclosed flaws are weaponized once proof-of-concept code or active exploitation emerges. For defenders, the implication is that identity controls alone are not enough if vulnerable apps and services remain reachable from the internet. Internet-facing systems, including remote access tools such as VPN gateways, remain attractive targets when patching lags.

Google Cloud’s findings stop short of naming a single victim or campaign in the Infosecurity summary, and the exact technical details behind “React2Shell” were not fully described there. Still, the message is clear: cloud intrusion tradecraft is becoming more exploit-driven, and exposed software flaws are now a faster path into cloud estates than many defenders may assume.