Cloud assets have 115 vulnerabilities on average — some several years old

Companies are having a hard time keeping their cloud infrastructure secure and the race to adopt and integrate AI services into their apps and workflows is making things worse.

Having analyzed billions of production assets on AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud this year, researchers from Orca Security warn that cloud assets have on average 115 vulnerabilities and over half of organizations have at least one such vulnerability that’s over 20 years old. This is an alarming trend considering that attackers, including state-backed cyberespionage groups, have increasingly targeted cloud infrastructure in recent years.

A third of analyzed cloud assets fall into Orca’s neglected-asset category — resources that use operating systems that are no longer supported and haven’t been patched in over 180 days. Almost all companies have at least one neglected asset, usually virtual machines.

Organizations are also feeling the pressure to adopt AI so they don’t get left behind but this rushed approach often comes at the cost of security. According to Orca’s findings, 62% of organizations have at least one vulnerable AI-related package in their cloud environments and many of these AI flaws are medium severity and above, allowing for attacks such as data leakage or remote code execution.

Vulnerability exploitation on the rise

According to Verizon’s 2025 Data Breach Investigation Report (DBIR), analysis of 22,000 security incidents, including 12,195 confirmed data breaches in 139 countries, found vulnerability exploitation to be the second-most prevalent initial access vector, overtaking phishing for the first time and after credential abuse.

Coupled with the fact that many organizations now employ hybrid environments that combine local and cloud assets, vulnerabilities in either setting are highly attractive targets for attackers.

Orca found that over two-thirds of organizations have at least one cloud asset that is public-facing and enables lateral movement. Moreover, 55% of organizations have assets deployed across multiple cloud providers.

Web services are the most vulnerable assets, with 82% of organizations having at least one unpatched web service. And those vulnerabilities are not all new: 98% of organizations have at least one cloud asset vulnerability that’s over 10 years old.

Log4Shell and Spring4Shell, highly publicized and widely exploited flaws reported in 2021 and 2022 respectively, are two prominent examples. Orca found that almost 60% of orgs still had assets affected by these vulnerabilities and a third had internet-exposed assets that were vulnerable to Log4Shell, a flaw that leads to remote code execution.

“Clearly, these findings signal the critical need for better patch management, especially in the context of sophisticated threat groups targeting the least path of resistance to a compromise,” the Orca team wrote in its report.

For example APT29, a cyberespionage group attributed to the Russian Federation’s Foreign Intelligence Service (SVR), is well known for exploiting vulnerabilities for initial access and for targeting cloud infrastructure. The group’s targets include technology companies, the compromise of which can lead to supply chain attacks.

Isolated risks lead to bigger issues

Orca also warns that half of organizations have assets exposing attack paths that can lead to sensitive data exposure, as well as 23% with paths that lead to broad permission access and compromised hosts. Attack paths are the combination of risks that appear isolated but can be combined to lead to bigger compromises.

For example, Orca found that over a third of organizations had at least one asset that created more than 100 attack paths, with one in 10 having assets with more than 1,000 attack paths. The most toxic asset identified by Orca in its dataset was responsible for 165,142 attack paths.

Data exposure is a common issue with one in three organizations having publicly exposed storage buckets or databases with sensitive data in them.

“Threat actors prize sensitive data, especially at a time when the demand for data continues to increase amid AI innovation,” the Orca team wrote. “It underscores a troubling trend that calls for more attention on data security.”

Identity threats

While vulnerabilities were the second most common initial access vector found in Verizon’s DBIR, abused credentials once again took the top spot. Identities that can be abused for initial access or lateral movement include not just end-user credentials but also API keys, access tokens, service accounts, cloud functions, and other non-human identities (NHIs) used by machines, services, and workloads.

“Our analysis finds that NHIs outnumber their human counterparts by an average of 50:1,” the Orca team said. “Yet NHIs, when left unsecured, can dramatically increase cloud risks. This is especially true when users grant NHIs more permissions than they need.”

Orca found that 77% of organizations that use AWS have at least one service account with permissions across two or more accounts and 12% of orgs have permissive roles attached to more than 50 instances. Some of these roles, once created, remain unused, with almost 90% of orgs having IAM credentials that were not used in over 90 days.

Many secrets that enable access to sensitive resources are exposed through source code repositories (85%) and over half of plaintext secrets remain embedded in Git history even if they are removed from the latest version of the code.

On top of exposed secrets, attackers can also take advantage of misconfigurations in infrastructure-as-code templates (20% of orgs), Lambda functions (77% of orgs), and source code management platforms such as GitHub and GitLab (57% of orgs).

“Cloud security has reached a critical turning point,” the Orca team concluded. “As organizations increasingly rely on the cloud to accelerate innovation and growth, several converging trends are reshaping the challenges security teams face — and the strategies they need to stay ahead.”