Cloud security vulnerabilities are leaving enterprise workloads exposed, new report warns

Cloud security vulnerabilities are turning enterprise workloads into easy targets, despite heavy investments in modern security tools. Despite years of investment in cloud security tooling, there is a pattern of shocking disclosures about most organisations still operating workloads that can be compromised with ease by attackers. According to the latest Tenable Cloud and AI Security Risk Report 2026, exposure management has become the central issue of cloud security in the modern world

According to the Tenable Cloud and AI Security Risk Report 2026, 82% of organisations run at least one workload with a known exploited vulnerability. These are not hypothetical weaknesses. They are listed in the CISA Known Exploited Vulnerabilities (KEV) catalogue- vulnerabilities which already have an exploitable code in the wild. These exploited vulnerabilities already have working attack code in the wild, making them far more dangerous than theoretical flaws. The difference is important as the high score of the CVSS does not imply active risk. An exposure together with exploitation does.

The statistics indicate that the majority of the businesses have been unsuccessful in operationalising this difference. Weaknesses that have shifted to weaponised are not being addressed in time. To an attacker, such workloads are sitting ducks: they do not need to be developed as zero-days, only wait and test.

Cloud security vulnerabilities and cloud workloads at risk

The report shows that cloud workloads at risk are mostly legacy systems that enterprises hesitate to patch due to downtime concerns. The issue is not uniform in the types of infrastructure. Containers are frequently utilised but on average 84% of all unpatched workloads are virtual machines. On the contrary, container images translate into 15%. Such imbalance suggests the localisation of legacy risk: the presence of older VM-based systems that carry out mission-critical applications on which organisations are hesitant to apply patches because of compatibility issues.

This brings about a structural remediation gap. Vulnerabilities are identified by security teams, and the operational teams postpone the patching so that there is no downtime. In the long run, such exceptions become long term exposure. Over 84% of all unpatched virtual machines continue to carry known vulnerabilities, making them the biggest contributors to enterprise exposure. This is compounding risk debt at the risk economic level: the longer a VM is not patched, the more likely it is that an exploit will be automated and weaponised.

End-of-life operating systems and governance failure

More than half of organisations still rely on end-of-life operating systems that no longer receive vendor security updates. Another vulnerability is lifecycle management, with 57% of organisations using workloads based on end-of-life (EoL) operating systems, on which the vendor no longer releases security updates. In contrast to unpatched vulnerabilities, EoL risk is more evenly distributed: virtual machines contribute the bulk of EoL workloads at 56 percent, and the container at 43 percent.

This fact that there are EoL containers is especially telling. Containers are assumed to be new and temporary, but the data is pointing to the realisation of the failure of the so-called golden image governance, the process of ensuring the safe base images to be deployed. A bad base image has the ability to spread danger at scale across environments once in a pipeline, without raising any alarm.

React2Shell vulnerability: The shrinking patch window

The React2Shell vulnerability demonstrated how attackers can weaponise flaws within hours of public disclosure, leaving organisations with no reaction time. The React2Shell vulnerability (CVE-2025-55182) is an example of the collapse of the timelines of remediation. Within six hours of public release it was confirmed that active exploitation was feasible and 12 percent of organisations were still active with vulnerable workloads two weeks after the patch became available. This demonstrates that it is no longer the speed of attackers, but that of the organisations.

Disclosure channels are now monitored by attackers and exploit development is automated almost immediately. The established patch cycle of identify, test, schedule and deploy can not keep pace once exploitation starts the same day as disclosure. Enterprise cloud security now depends less on scanning volume and more on identifying which vulnerabilities attackers are already using.

From volume-based patching to exposure management

Experts argue that exposure management must replace volume-based patching to prioritise vulnerabilities that are actively exploited and business-critical. The analytical conclusion is obvious: volume-maximized security programs are not in touch with risk in the real world. When every vulnerability is treated as critical, there is the occurrence of the alert fatigue and misdirected efforts. The combination of exploitability, reachability and business impact is what counts.

• Exposure management presents the problem differently.
• Organisations need to ask:
• How many critical CVEs do we have?
• What are the existing vulnerabilities under exploitation?
• What workloads do you have which are internet facing or sensitive data?
• What identities/systems permit horizontal mobility?

In this respect, workloads that are sitting ducks are not technical anomalies but a result of governance. They are formed in areas where patching is slow, the life cycle is poorly managed and prioritisation is not contextualised.

Ideal security is impossible, but not invulnerable security. The way to go is to move past reactive patching to context-sensitive exposure management, whereby remediation is not based on scanner noise but exploit reality. For Indian enterprises, cloud security risks are growing as legacy systems mix with modern cloud infrastructure across banking, telecom and SaaS sectors.