Executive Summary
In late 2025, critical vulnerabilities were discovered in Google Looker, a widely used business intelligence platform. These flaws allowed attackers to execute remote code and exfiltrate sensitive data across different Google Cloud Platform (GCP) tenants. The most severe issue enabled unauthorized users to gain full control over Looker instances, potentially leading to data manipulation and deeper network infiltration. Google promptly patched these vulnerabilities in its cloud-hosted services; however, organizations using self-hosted Looker instances were required to manually apply the updates to mitigate the risks. (helpnetsecurity.com)
This incident underscores the growing threat landscape targeting cloud-based business intelligence tools. As organizations increasingly rely on such platforms, ensuring robust security measures and timely patch management becomes imperative to prevent unauthorized access and data breaches.
Why This Matters Now
The exploitation of these vulnerabilities highlights the critical need for organizations to proactively secure their cloud-based business intelligence platforms. With the increasing sophistication of cyber threats, timely patching and adherence to security best practices are essential to safeguard sensitive data and maintain operational integrity.
Attack Path Analysis
An attacker exploited a path traversal vulnerability in Google Looker to manipulate Git hooks, achieving remote code execution (RCE) on the Looker server. This access allowed the attacker to escalate privileges, enabling lateral movement across shared infrastructure to access other Google Cloud Platform (GCP) tenants' environments. The attacker established command and control (C2) channels to maintain persistent access and exfiltrated sensitive data from compromised tenants. The impact included unauthorized access to multiple organizations' data, leading to potential data breaches and operational disruptions.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a path traversal vulnerability in Google Looker to manipulate Git hooks, achieving remote code execution on the Looker server.
Related CVEs
CVE-2025-12740
CVSS 7.7A Looker user with a Developer role could create a database connection using the IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command due to inadequate filtering of the driver's parameters.
Affected Products:
Google Looker – < 25.0.93, < 25.6.84, < 25.12.42, < 25.14.50, < 25.16.44
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.
Exploitation of Remote Services
Transfer Data to Cloud Account
Remote Services: Cloud Services
Exfiltration to Cloud Storage
Cloud Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: 3.1
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Google Looker vulnerabilities enable cross-tenant RCE and data exfiltration, compromising financial analytics platforms and customer data across multiple cloud environments.
Health Care / Life Sciences
Application vulnerabilities in Looker threaten patient data analytics systems, enabling unauthorized access to sensitive healthcare information across separate tenant boundaries.
Information Technology/IT
Cross-tenant RCE vulnerabilities in Google Looker expose IT service providers' multi-client environments to lateral movement and data exfiltration attacks.
Government Administration
Looker security flaws create critical risks for government analytics platforms, potentially allowing attackers to breach classified data across different agency tenants.
Sources
- Google Looker Bugs Allow Cross-Tenant RCE, Data Exfilhttps://www.darkreading.com/application-security/google-looker-bugs-cross-tenant-rce-data-exfilVerified
- Google Cloud Platform (GCP) Zero-Click Cross-Tenant SQL Injection Vulnerability Through Stored Credentials in Looker Studio - Research Advisory | Tenable®https://www.tenable.com/security/research/tra-2025-29Verified
- Vulnerabilities Allowed Full Compromise of Google Looker Instances - SecurityWeekhttps://www.securityweek.com/vulnerabilities-allowed-full-compromise-of-google-looker-instances/Verified
- Major vulnerabilities found in Google Looker, putting self-hosted deployments at risk - Help Net Securityhttps://www.helpnetsecurity.com/2026/02/04/google-looker-vulnerabilities-cve-2025-12743/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges and move laterally across shared infrastructure, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may have been constrained, potentially limiting the initial compromise's effectiveness.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited, reducing the scope of access to critical system resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement across shared infrastructure may have been constrained, limiting access to other tenants' environments.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been restricted, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been limited, reducing the volume of sensitive data transferred to external accounts.
The overall impact of the breach may have been reduced, limiting data exposure and operational disruptions.
Impact at a Glance
Affected Business Functions
- Data Analytics
- Business Intelligence
- Reporting
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive business data, including customer information and internal analytics.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement across shared infrastructure.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows, detecting unauthorized access attempts.
- • Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into cloud environments and detect anomalous activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Regularly update and patch systems to mitigate known vulnerabilities, reducing the risk of exploitation.
