⚡ Quick Summary
- Google and Mandiant research reveals attackers are now exploiting newly disclosed cloud software vulnerabilities within 24–72 hours of CVE publication, collapsing the traditional patch response window.
- Third-party software flaws — in file transfer tools, VPN appliances, and enterprise integrations — have overtaken weak credentials as the primary initial access vector in cloud environment breaches.
- The findings draw on Mandiant's real-world incident response data and represent a significant shift from the misconfiguration-dominant threat model that shaped cloud security investment for the past decade.
- All three major hyperscalers — AWS, Microsoft Azure, and Google Cloud — are affected, but the research strategically positions Google and Mandiant as leading authorities in cloud threat intelligence.
- Security teams are urged to move beyond monthly patch cycles to near-real-time vulnerability monitoring with automated remediation pipelines, particularly for internet-facing third-party applications in cloud environments.
What Happened
Google's Threat Intelligence Group and Mandiant — the incident response powerhouse Google acquired for $5.4 billion in 2022 — have published findings that fundamentally reframe how security teams should think about cloud risk. The core revelation: attackers are no longer primarily hunting for misconfigured buckets or weak passwords. Instead, they are weaponising newly disclosed vulnerabilities in third-party software at a pace that has compressed the exploitation window from weeks to mere days.
The research, drawn from Mandiant's extensive cloud incident response caseload, identifies a decisive shift in initial access vectors. Where credential-based attacks — phishing, credential stuffing, and brute-force campaigns — once dominated cloud breach timelines, exploitation of unpatched software flaws in widely deployed third-party applications now accounts for a growing proportion of intrusions. This includes vulnerabilities in file transfer tools, VPN appliances, enterprise productivity suites, and cloud-native management platforms.
Critically, Google's data shows that the mean time between a CVE being publicly disclosed and active exploitation in cloud environments has narrowed dramatically. In some cases tracked by Mandiant responders, threat actors were observed deploying working exploits within 24 to 72 hours of a vulnerability being published — well before most enterprise patch management cycles could respond. This is not theoretical. Mandiant documented real-world cloud intrusions in 2024 where attackers pivoted from initial exploitation to lateral movement and data staging within the same business day.
The report also highlights that cloud-native misconfigurations have not disappeared as a risk category — they remain prevalent — but the sophistication gradient has shifted. Nation-state actors and financially motivated ransomware groups are increasingly leading with software exploits precisely because they are faster, more reliable, and harder to detect than credential-based entry when defenders are focused on identity governance rather than patch velocity.
Background and Context
To understand why this finding carries such weight, it helps to trace the evolution of cloud security thinking over the past decade. When enterprises began migrating workloads to AWS, Microsoft Azure, and Google Cloud Platform in earnest around 2014–2016, the dominant threat model centred on misconfiguration. The infamous 2019 Capital One breach — which exposed over 100 million customer records via a misconfigured AWS Web Application Firewall — became the canonical case study. It reinforced a security orthodoxy: cloud breaches happen because administrators make mistakes, not because attackers are technically sophisticated.
That orthodoxy shaped an entire generation of cloud security tooling. Cloud Security Posture Management (CSPM) platforms like Wiz, Orca Security, and the native offerings within Microsoft Defender for Cloud and AWS Security Hub were built largely around continuous configuration auditing. The assumption was that if you could continuously scan for misconfigurations and enforce least-privilege identity policies, you would neutralise the primary attack surface.
Meanwhile, a parallel threat was maturing. The MOVEit Transfer vulnerability (CVE-2023-34362), disclosed in late May 2023, demonstrated with devastating clarity what exploit-first cloud attacks look like at scale. The Cl0p ransomware group had reportedly been researching the SQL injection flaw for months before disclosure, then executed a coordinated exploitation campaign within hours of the CVE going public. Over 2,700 organisations were compromised, including government agencies, financial institutions, and healthcare providers — many of them running MOVEit in hybrid or cloud-connected configurations.
Similarly, the Citrix Bleed vulnerability (CVE-2023-4966), disclosed in October 2023, was exploited to breach cloud-connected enterprise environments at Boeing, the Industrial and Commercial Bank of China, and others before patches could be universally applied. These events collectively signalled a structural shift in attacker methodology that Google's latest research now quantifies and contextualises at the cloud infrastructure level.
Mandiant's own M-Trends report from 2024 noted that the global median dwell time — the period between initial compromise and detection — had fallen to 10 days, down from 16 days in 2022. But that compression in dwell time is a double-edged sword: attackers are moving faster, completing their objectives before defenders even know an intrusion has occurred.
Why This Matters
For IT and security professionals managing enterprise technology stacks, Google's findings demand an uncomfortable reassessment of where defensive investment is concentrated. The security industry has spent enormous capital — both financial and cognitive — on identity and access management, zero-trust architecture, and CSPM tooling. Those investments are not wasted, but they are increasingly insufficient as a primary defence against the leading edge of cloud attacks.
The practical implication is that patch management — often treated as an operational hygiene task delegated to junior administrators — must be elevated to a strategic security priority with executive visibility. When the exploitation window is measured in days rather than weeks, the traditional 30-day patch cycle that many enterprises still operate under is not a policy choice; it is an open invitation. Organisations running third-party software in cloud environments — file transfer platforms, network edge devices, identity federation services, and enterprise resource planning systems — need to move to near-real-time vulnerability monitoring with automated patch deployment pipelines where feasible.
For Microsoft ecosystem users specifically, this has direct relevance. Azure-connected environments running third-party applications, hybrid deployments bridging on-premises Windows Server infrastructure with cloud workloads, and organisations using Microsoft 365 alongside third-party integrations all represent the exact attack surface Google's research describes. Microsoft's own Patch Tuesday cadence, while more predictable than many vendors, still creates monthly windows during which newly disclosed vulnerabilities in the Microsoft ecosystem — or in third-party software running on Windows and Azure — remain unpatched in production environments.
The Microsoft ecosystem's breadth is itself a risk amplifier. With over 345 million commercial Microsoft 365 seats as of 2024, a single exploitable vulnerability in a widely deployed Office or Azure component represents an extraordinarily high-value target. Security teams managing enterprise productivity software deployments must now treat their software inventory as a live attack surface map, not a static asset register.
There are also insurance and compliance dimensions. Cyber insurers are increasingly scrutinising patch management practices as part of underwriting. Organisations that cannot demonstrate rapid response to critical CVEs — particularly those rated CVSS 9.0 and above — are facing higher premiums or coverage exclusions. Regulatory frameworks including NIS2 in the EU and the updated NIST Cybersecurity Framework 2.0 both explicitly address vulnerability management timeliness.
Industry Impact and Competitive Landscape
Google's decision to publish this research is not purely altruistic — it is also strategically calculated. By positioning Google Cloud and Mandiant as authoritative voices on cloud threat intelligence, Google reinforces its competitive differentiation against AWS and Microsoft Azure in the enterprise security conversation. AWS and Azure both have significant security research arms, but Mandiant's incident response pedigree — built across thousands of real-world breach investigations since its founding in 2004 — gives Google a credibility asset that is genuinely difficult to replicate.
For Microsoft, the findings create both challenge and opportunity. Azure is the second-largest cloud platform globally, with approximately 22–23% market share compared to AWS's 31% and Google Cloud's 12% as of late 2024. Microsoft's security business has grown to over $20 billion in annual revenue, making it one of the largest cybersecurity vendors in the world. The company has invested heavily in Microsoft Sentinel (its cloud-native SIEM), Defender for Cloud, and the broader Microsoft Security Copilot platform — which uses GPT-4-class AI to accelerate threat detection and response.
The exploit-first attack paradigm described by Google actually plays to Microsoft's integrated security narrative. Microsoft's argument — that consolidating security tooling within a single vendor ecosystem reduces complexity and improves response time — becomes more compelling when the threat model demands speed above all else. A fragmented security stack with multiple vendor APIs and manual correlation workflows is structurally disadvantaged against attacks that move from initial exploit to objective completion in hours.
AWS, meanwhile, has been aggressively expanding its native security portfolio with services like Amazon Inspector (automated vulnerability management), AWS Security Hub, and Amazon GuardDuty. The findings from Google's research will likely accelerate investment across all three hyperscalers in exploit detection capabilities — specifically, the ability to identify in-memory exploitation patterns and post-exploitation behaviours that occur after a vulnerability is triggered but before a persistent backdoor is established.
Independent security vendors including CrowdStrike, Palo Alto Networks, and SentinelOne are also directly implicated. Their endpoint and cloud workload protection platforms are increasingly the last line of defence when patch management fails. Expect this research to be cited extensively in their enterprise sales motions throughout 2025.
Expert Perspective
From a strategic standpoint, Google's research crystallises a tension that has been building in enterprise security for several years: the gap between how quickly attackers can operationalise vulnerability intelligence and how quickly defenders can act on the same information. The asymmetry is structural. Attackers need to find and exploit one path; defenders must protect every path simultaneously.
The compression of the exploitation window to days — and in some cases hours — effectively breaks the economic model that underpins traditional vulnerability management. That model assumed organisations could triage, test, and deploy patches within a window that, while imperfect, was long enough for prioritised response. When that window collapses, the only viable responses are either dramatically faster patching infrastructure or compensating controls that can neutralise exploitation attempts before they succeed — think virtual patching via WAF rules, network segmentation that limits blast radius, and runtime application self-protection (RASP) technologies.
There is also an AI dimension worth examining carefully. Both offensive and defensive security communities are integrating large language models into their workflows. On the offensive side, AI-assisted vulnerability research can accelerate the development of working exploits from published CVEs. On the defensive side, tools like Microsoft Security Copilot and Google's own Gemini-powered security features promise to compress analyst response times. The race between AI-accelerated exploitation and AI-accelerated defence will likely define the cloud security landscape through the remainder of this decade.
Looking at the broader trajectory, organisations that invest now in automated vulnerability response pipelines — integrating CVE feeds, asset inventory, patch deployment automation, and compensating control activation — will build a structural advantage that compounds over time.
What This Means for Businesses
For business and IT decision-makers, the immediate priority is an honest audit of patch management velocity. The question to ask is not "do we have a patch management process?" but rather "how many hours does it take us to deploy a critical patch to every affected system after a CVE is published?" If the answer is measured in weeks, that process needs urgent redesign.
Practically, this means investing in software composition analysis tools that provide real-time visibility into every third-party component running in cloud environments, including dependencies that may not be directly managed by internal teams. It also means establishing pre-approved emergency change management procedures specifically for critical security patches, bypassing the standard change advisory board cycles that can add days or weeks to deployment timelines.
For organisations running Microsoft-centric infrastructure, ensuring that Windows systems are fully licensed and receiving security updates is foundational — a genuine Windows 11 key from a legitimate reseller ensures access to the full Microsoft Update pipeline, including out-of-band emergency patches that Microsoft issues for actively exploited vulnerabilities. Similarly, keeping productivity software current through properly licensed channels — an affordable Microsoft Office licence ensures access to the latest security-hardened builds — eliminates a common gap where unlicensed or outdated software deployments fall outside automated update coverage.
Cyber insurance policy reviews are also warranted. Many policies now include sub-limits or exclusions for breaches involving known, unpatched vulnerabilities. Understanding those terms before an incident is significantly more valuable than discovering them during a claim.
Key Takeaways
- Exploitation speed has reached critical velocity: The window between CVE disclosure and active cloud exploitation has compressed to 24–72 hours in documented incidents, rendering monthly patch cycles strategically inadequate.
- Third-party software is the primary entry point: File transfer tools, VPN appliances, and enterprise application integrations — not core cloud platform services — represent the dominant initial access vector in current cloud breach patterns.
- Credential-based attacks remain significant but are no longer the leading edge: Identity governance investments remain essential but must now be complemented by exploit-focused detection and rapid patch deployment capabilities.
- AI is accelerating both sides of the threat equation: LLM-assisted exploit development shortens attacker timelines; AI-powered security operations tools offer defenders a potential counterweight, but adoption gaps create near-term risk.
- Google's research serves a dual purpose: The findings are genuinely important for the industry, but they also strategically position Mandiant and Google Cloud as authoritative voices in enterprise cloud security — a competitive differentiator against AWS and Azure.
- Patch management must be elevated to executive priority: Organisations that treat vulnerability remediation as a routine operational task rather than a time-critical security function are structurally exposed to the attack patterns described in this research.
- Software licensing integrity matters for security: Unlicensed or improperly activated software frequently falls outside automated update pipelines, creating invisible gaps in patch coverage that attackers can exploit.
Looking Ahead
Several developments in the coming months will determine how this threat landscape evolves. The release of NIST's updated National Vulnerability Database enrichment data and CISA's ongoing Known Exploited Vulnerabilities (KEV) catalogue will become increasingly critical operational inputs for security teams — watch for new tooling integrations that automate response workflows based on KEV additions.
Google is expected to expand Mandiant's threat intelligence capabilities further into the Google Cloud Security Operations platform throughout 2025, with deeper integration between Chronicle SIEM and real-time exploit detection feeds. Microsoft will likely respond with enhanced Defender for Cloud features targeting the same exploit-detection use case, potentially announced at Microsoft Ignite or Build events in 2025.
The broader question is whether the industry can develop a genuine collective response to exploitation velocity — perhaps through coordinated, pre-disclosure patch distribution to major cloud providers, allowing hyperscalers to deploy virtual patches before CVEs are made public. Proposals along these lines have circulated in security research communities, but the coordination challenges are significant. This research from Google may provide the urgency needed to move those conversations forward.
Frequently Asked Questions
Why are attackers shifting from credential theft to software exploits for cloud attacks?
Software exploits offer attackers several structural advantages over credential-based entry. A working exploit against a widely deployed vulnerability can be operationalised at scale with minimal per-target effort, whereas credential attacks require either phishing campaigns, purchasing stolen credentials, or sustained brute-force activity. Modern cloud identity platforms — with multi-factor authentication, conditional access policies, and anomaly detection — have also raised the cost and complexity of credential-based intrusion. Exploiting a software vulnerability, particularly in a third-party application that sits outside the core identity perimeter, often bypasses these controls entirely. Google's Mandiant data suggests financially motivated groups and nation-state actors have both recognised this shift and are investing in vulnerability research as a primary capability.
What types of third-party software are most commonly exploited in cloud attacks?
Based on Mandiant's incident response history and broader industry data, the highest-risk categories include managed file transfer platforms (MOVEit, GoAnywhere, Accellion FTA have all featured in major incidents), SSL VPN and network edge appliances (Citrix NetScaler, Ivanti Connect Secure, Fortinet FortiGate), enterprise identity and SSO platforms, and cloud management and monitoring agents. These categories share common characteristics: they are internet-facing, widely deployed across large organisations, often run with elevated privileges, and historically receive less security scrutiny than core operating systems. Their position at the network perimeter or cloud boundary makes them high-value initial access points.
How should IT teams change their patch management approach in response to these findings?
The core change required is a shift from scheduled, periodic patching to risk-tiered, velocity-sensitive patching. In practice, this means: establishing real-time CVE monitoring feeds (CISA KEV, NVD, vendor security advisories) with automated alerting to asset owners; pre-approving emergency change management procedures for CVSS 9.0+ vulnerabilities that eliminate standard change advisory board delays; investing in software composition analysis to maintain a live inventory of every third-party component in cloud environments; and deploying compensating controls — WAF virtual patches, network segmentation, runtime protection — for vulnerabilities where immediate patching is not operationally feasible. The goal is to reduce mean time to patch for critical vulnerabilities from weeks to hours.
Does this research affect Microsoft Azure users specifically, and what should they do?
Yes, Azure users are directly affected. Azure-hosted workloads frequently run third-party applications and services that represent exactly the attack surface described in Google's research. Additionally, hybrid deployments connecting on-premises Windows Server environments to Azure create pathways where an on-premises exploit can pivot to cloud resources. Microsoft has strong native security tooling — Defender for Cloud, Sentinel, and the Security Copilot AI platform — but these tools require proper configuration and active management to deliver value. Azure administrators should audit their third-party software inventory, ensure all systems are running on properly licensed and fully updated software (which guarantees access to Microsoft's full update pipeline including emergency out-of-band patches), and review their Defender for Cloud secure score with specific attention to vulnerability assessment findings.