Cloud risk is systemic, says Wiz

Most cloud break-ins still start with old mistakes. Wiz says about 80% of the cloud intrusions it analyzed in 2025 began with familiar entry points like vulnerabilities, exposed secrets, and misconfigurations, not some brand-new magic trick. (wiz.io) Cloud security used to be sold like a checklist problem: find the bad setting, fix the bad setting, move on. Wiz’s new argument is that the real danger now sits in the connections between systems, because one weak component can inherit trust from five others. (wiz.io) That is what “systemic” means here. A cloud account is less like one locked room and more like an office building where badges, service accounts, application programming interfaces, and software packages all open different doors for each other. (wiz.io) Wiz points to incidents like Shai-Hulud and React2Shell as examples of this shift. In both cases, the blast radius came from shared infrastructure, software dependencies, and trusted integrations that let a single weakness travel farther than defenders expected. (wiz.io) Shai-Hulud 2.0 shows what that looks like in practice. Wiz said the campaign exposed secrets across more than 25,000 repositories tied to about 350 unique users, turning one supply-chain compromise into a credential-harvesting event that could spill into many cloud environments. (wiz.io) React2Shell shows the same pattern from a different angle. Wiz described it as a critical unauthenticated remote code execution flaw in React server components, and said attackers quickly targeted internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. (wiz.io 1) (wiz.io 2) Artificial intelligence did not replace those old risks in 2025. Wiz says it mostly expanded the number of places they can appear by adding new services, pipelines, identities, and data paths, often closer to sensitive data and high-value workloads. (wiz.io) That changes what defenders have to map. A team now has to understand which identity can reach which data store, which software package sits inside which service, and which software as a service connector can pass trust into the rest of the environment. (wiz.io 1) (wiz.io 2) Wiz’s own product language hints at the operational answer. Its attack surface management pitch centers on discovering external-facing assets across cloud, artificial intelligence, software as a service, and on-premises systems, then tying those exposures to impact and ownership instead of treating each alert as an isolated finding. (wiz.io) So the practical takeaway is narrower than “everything is broken.” The companies that do better are the ones that can see exposure, identity privilege, and dependency chains in one map, because attackers are increasingly walking those relationships instead of kicking down a single front door. (wiz.io)