Enterprise cloud environments are carrying unaddressed security gaps that are being actively exploited, according to a new industry report that challenges long-held assumptions about patching as the primary line of defence.The study, compiled from telemetry across thousands of production workloads hosted on major platforms including Amazon Web Services, Microsoft Azure and Google Cloud, finds that organisations are overwhelmed by vulnerability alerts yet remain exposed to a smaller cluster of high-impact flaws that attackers are targeting in real time. Analysts argue that the emphasis on patch volume and compliance metrics is masking deeper structural weaknesses in configuration, identity management and exposure control.
Researchers examined millions of assets across public and hybrid cloud estates and found that a significant proportion of internet-facing workloads contained at least one critical vulnerability tied to known exploitation patterns. These included misconfigured storage buckets, publicly exposed administrative interfaces, outdated container images and over-privileged service accounts. In many cases, flaws persisted for months after disclosure, even in enterprises that reported strong patching cycles.
Security executives interviewed for the report said the scale of vulnerability disclosures—now running into tens of thousands annually—has created operational fatigue. While automated scanners flag issues quickly, remediation teams struggle to prioritise effectively. The report contends that fewer than 5 per cent of identified vulnerabilities account for the majority of observed exploitation attempts, yet resources are often distributed evenly across all findings.
Attackers, by contrast, are highly selective. Threat intelligence data analysed for the study shows increased targeting of cloud-native services, identity federation mechanisms and remote management tools. Compromised credentials and token theft remain common entry points, particularly where multi-factor authentication is inconsistently enforced or conditional access policies are poorly configured.
Industry specialists say this shift reflects a broader change in adversary behaviour. Rather than relying solely on software bugs, cybercriminal groups are exploiting architectural weaknesses in how cloud environments are deployed. Excessive permissions, flat network structures and unsecured APIs allow lateral movement once initial access is gained. Ransomware operators and state-linked actors alike have demonstrated the ability to pivot rapidly within misconfigured cloud estates.
The report urges organisations to adopt exposure management frameworks that prioritise vulnerabilities based on exploitability, asset criticality and attack surface visibility. This approach moves beyond counting patches applied and instead measures whether exploitable paths to sensitive workloads have been eliminated. Analysts argue that visibility into runtime configurations, identity relationships and third-party integrations is essential to reducing real-world risk.
Cloud providers have expanded native security tooling, offering threat detection, posture management and encryption services. Yet adoption remains uneven. Smaller enterprises, in particular, often rely on default configurations without fully understanding shared responsibility models. Even large corporations with dedicated security teams face challenges integrating multiple tools across multi-cloud environments.
The report also highlights the growing complexity introduced by containerisation and microservices. Development teams deploy code at speed using automated pipelines, sometimes outpacing security reviews. Vulnerable open-source components embedded in container images can propagate across clusters before patches are applied. Security leaders warn that without continuous monitoring and image scanning at build time, exposures can multiply rapidly.
Regulatory pressure is intensifying. Data protection authorities across Europe, North America and parts of Asia have imposed substantial penalties on organisations that failed to secure cloud-hosted personal data. Supervisory bodies increasingly expect evidence that risk-based vulnerability management processes are in place, rather than simple proof of patch cycles. Boards are also demanding clearer metrics that link technical remediation to financial risk.
Financial services, healthcare and energy sectors appear particularly exposed, given their reliance on interconnected digital platforms and third-party service providers. Supply-chain vulnerabilities, where a weakness in one vendor’s cloud environment affects multiple clients, are drawing scrutiny from regulators and insurers. Cyber insurance underwriters are tightening policy terms, often requiring demonstrable controls around privileged access and external exposure monitoring.
Security strategists say culture and governance play as much a role as technology. Effective cloud risk reduction requires collaboration between development, operations and security teams, with shared accountability for configuration standards. Continuous attack-surface mapping, automated identity governance and real-time alert correlation are emerging as core capabilities.
Topics
Technology