Executive Summary
In the latter half of 2025, Google observed a significant shift in cloud attack vectors, with 44.5% of intrusions exploiting newly disclosed vulnerabilities in third-party software, while attacks leveraging weak credentials decreased to 27%. Notably, remote code execution flaws like React2Shell (CVE-2025-55182) and the XWiki vulnerability (CVE-2025-24893) were frequently targeted, with attackers deploying cryptominers within 48 hours of vulnerability disclosure. This trend underscores the urgency for organizations to promptly patch vulnerabilities and enhance their security posture to mitigate rapid exploitation risks. The accelerated exploitation of software vulnerabilities highlights the evolving tactics of threat actors and the necessity for organizations to adopt proactive vulnerability management and robust security measures to safeguard cloud environments against emerging threats.
Why This Matters Now
The rapid exploitation of software vulnerabilities in cloud environments underscores the critical need for organizations to implement proactive vulnerability management and robust security measures to protect against emerging threats.
Attack Path Analysis
Adversaries exploited vulnerabilities in third-party software to gain initial access to cloud environments. They escalated privileges by compromising cloud accounts and manipulating IAM roles. Lateral movement was achieved through unauthorized access to cloud services and resources. Command and control were established using compromised infrastructure to evade detection. Data exfiltration occurred via cloud storage services. The impact included data destruction and disruption of cloud services.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited vulnerabilities in third-party software to gain initial access to cloud environments.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Affected Products:
Meta Platforms, Inc. React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Exploit Status:
exploited in the wildCVE-2025-24893
CVSS 9.8XWiki Platform is vulnerable to remote code execution via the SolrSearch feature, allowing unauthenticated attackers to execute arbitrary code through crafted requests.
Affected Products:
XWiki XWiki Platform – < 15.10.11, < 16.4.1, < 16.5.0RC1
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-24893https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Defense Evasion
Cloud Infrastructure Discovery
Remote Services: Cloud Services
Credentials from Password Stores: Cloud Secrets Management Stores
Account Manipulation: Additional Cloud Credentials
Data from Cloud Storage Object
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Governance
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector cloud attacks targeting cryptocurrency platforms and CI/CD pipelines pose severe risks to digital asset management and financial data protection systems.
Computer Software/Engineering
React2Shell and supply-chain attacks through compromised npm packages directly threaten software development environments, CI/CD pipelines, and code repositories.
Information Technology/IT
Cloud infrastructure vulnerabilities exploited within 48 hours require immediate patch management and enhanced zero-trust segmentation for IT service providers.
Defense/Space
State-sponsored actors maintaining 18-month persistence in cloud environments pose critical threats to aerospace defense contractors and proprietary technology assets.
Sources
- Google: Cloud attacks exploit flaws more than weak credentialshttps://www.bleepingcomputer.com/news/security/google-cloud-attacks-exploit-flaws-more-than-weak-credentials/Verified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- XWiki Platform Remote Code Execution Vulnerabilityhttps://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in third-party software to gain initial access could have been limited.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by compromising cloud accounts and manipulating IAM roles could have been constrained.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the cloud environment using compromised credentials could have been restricted.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels using compromised infrastructure could have been limited.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data via cloud storage services could have been restricted.
The overall impact of data destruction and service disruption could have been reduced.
Impact at a Glance
Affected Business Functions
- Web Application Services
- Data Management
- Customer Support Portals
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and internal documentation.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts of known vulnerabilities.
- • Enforce zero trust segmentation to limit lateral movement within cloud environments.
- • Utilize multicloud visibility and control solutions to monitor and manage cloud resources effectively.
- • Apply egress security and policy enforcement to prevent unauthorized data exfiltration.
- • Deploy threat detection and anomaly response mechanisms to identify and respond to suspicious activities promptly.
