A new analysis reveals a crisis in cloud security. Businesses struggle to protect their cloud environments, even as attackers grow more aggressive.
According to Eye World’s review of Orca Security’s findings, cloud systems today contain an average of 115 vulnerabilities. Over half of all organizations host cloud assets with flaws older than 20 years. These legacy risks now offer easy entry points for cyberespionage groups and ransomware actors.
Orca examined billions of cloud assets across major providers like AWS, Azure, and Google Cloud. One in three assets was labeled “neglected,” typically running outdated operating systems and lacking security patches for more than six months.
The rush to adopt AI adds another layer of concern. Sixty-two percent of organizations use at least one vulnerable AI-related package in the cloud. Many flaws allow data leaks or remote code execution.
Exploited Weaknesses Now Outpace Phishing
Verizon’s 2025 Data Breach Report found that vulnerability exploitation has surpassed phishing as an entry vector. Over 12,000 breaches were analyzed in 139 countries.
Hybrid environments — combining on-prem and cloud — are now the norm. This increases the number of exploitable points and blurs the lines of defense.
Orca reports that two-thirds of companies have at least one cloud asset exposed to the public internet. Over half manage infrastructure across multiple cloud platforms. This multiplies the difficulty of maintaining secure configurations.
Aging Web Services and Unpatched Risks
Web services emerged as the most exposed cloud assets. A staggering 82% of organizations run at least one outdated web service. Ninety-eight percent harbor vulnerabilities over a decade old.
Even known, high-profile flaws like Log4Shell and Spring4Shell remain active. Nearly 60% of companies are still affected. A third of them have internet-facing systems open to remote code execution.
Compound Attack Paths Threaten Sensitive Data
Attackers often exploit isolated risks in combination. This creates complex attack paths leading to data loss or system compromise.
Half of all companies have assets exposing attack routes to sensitive data. One in four has paths that can escalate access privileges.
Some assets are highly dangerous. In one case, a single resource allowed over 165,000 unique attack paths. One-third of organizations expose more than 100 such paths.
Publicly exposed databases are also common. One in three companies leaks sensitive data through open cloud storage or SQL systems.
Identity Misuse: The Cloud’s Silent Threat
While vulnerabilities are rising, stolen credentials remain the top attack vector. And the threat isn’t limited to human users.
Non-human identities (NHI) — such as service accounts and tokens — now outnumber user accounts 50 to 1. Many carry excessive permissions and are left unmonitored.
Seventy-seven percent of AWS users run at least one service account with cross-account privileges. Twelve percent have rights extending across 50 or more instances.
Access keys are often inactive for months but remain valid. Nearly 90% of organizations have unused credentials sitting idle for over 90 days.
Secrets embedded in source code repositories also pose major risks. In 85% of companies, access credentials are exposed via Git. Over half remain retrievable in the commit history, even after deletion.
Configuration Risks and Insecure Automation
Misconfigured Infrastructure-as-Code (IaC) templates are widespread. One in five companies uses insecure templates. Over three-quarters have vulnerable Lambda functions.
Platforms like GitHub and GitLab also present attack vectors. Orca found that 57% of organizations had exposed weaknesses in their source code platforms.
The Cloud Security Crossroads
Cloud reliance is accelerating. Yet organizations face new and evolving risks. As AI and hybrid environments gain traction, traditional defenses fall short.
Eye World emphasizes the urgency of proactive security. Better patch management, access controls, and configuration audits must become standard practice.
“Cloud security has entered a pivotal phase,” Orca’s team states. “Multiple converging trends are reshaping how we must defend modern systems.”
