Eighty percent of documented cloud intrusions in 2025 began with three well-known issues: vulnerabilities, exposed secrets, and misconfigurations, a new report from Wiz found.
The findings, published in the Cloud Threats Retrospective 2026 last week, showed that attackers continued to take advantage of familiar entry points instead of creating novel techniques.
Exploitation of flaws accounted for 40% of initial access cases, followed by exposed secrets at 21% and misconfigurations at 19%. Supply chain-based compromises made up 7% of incidents but were observed to consistently lead to downstream impact across several organizations.
The analysis drew on publicly reported breaches and cloud telemetry collected between February and December 2025. It showed that attackers consistently targeted weaknesses in exposure management, and credential handling, as well as configuration practices.
Early-stage attacker behavior also followed common patterns. For example, the report found that 53% of pre-access activity involved reconnaissance techniques including scanning and infrastructure discovery. These steps are often required before attackers establish a foothold, giving defenders an opportunity to discover and disrupt activity early.
Shared Dependencies and AI Adoption Increased Exposure
The report also showed that AI adoption expanded the cloud attack surface. More than 85% of organizations were using AI services, yet 25% reported they did not know which AI tools were running in their systems.
Instead of creating new attack methods, however, AI was associated with a more efficient execution of pre-existing techniques. The report stated that AI-driven tooling enabled automation of reconnaissance, credential harvesting, and exploitation workflows.
Supply chain attacks were another main driver of risk. Campaigns such as Shai-Hulud demonstrated how compromising a commonly used software package enabled attackers to operate through trusted dev pipelines and affect many downstream environments.
The report also highlighted the quick weaponization of internet-facing vulnerabilities. Following disclosure of the React2Shell vulnerability (CVE-2025-55182), Wiz observed more than 60 exploitation campaigns within a week. Of these, 40% involved cryptomining activity, while 21% deployed backdoors and 18% focused on credential theft.
Overall, the report showed that cloud threats in 2025 were defined by scale and interconnected systems. Wiz recommended that organizations focus on visibility into externally exposed assets, strengthen identity security, and monitor trusted relationships across cloud and software environments.
“For defenders, strong fundamentals remain essential, but they must be applied with greater context,” the company wrote.
“Organizations that maintain visibility into exposure, identity relationships, and how risk propagates across cloud, development, and AI environments are better positioned to detect and disrupt intrusion activity before it escalates into meaningful impact.”
