NextFin News - Security researchers at Tenable have disclosed a pair of critical vulnerabilities in Google Looker, a premier business intelligence and data analytics platform, that could allow attackers to gain full system control and access sensitive data across different customer environments. The flaws, collectively referred to as "LookOut," include a remote code execution (RCE) chain and a separate SQL injection vulnerability that targets the platform's internal management database. According to Dark Reading, these vulnerabilities pose a severe threat because Looker serves as the "central nervous system" for corporate data in more than 60,000 organizations globally, including major entities like Coinbase and Walmart.
The most alarming discovery involves an exploit chain that allows for cross-tenant RCE. By leveraging a path traversal vulnerability in Looker’s Git-based project structure, researchers were able to trick the system into executing malicious "Git hooks." Although Looker utilizes JGit—a version of Git that typically does not support hooks—the researchers found a method to force the system to use standard Git via specific POST parameters. By triggering a race condition to bypass security overwrites, they successfully executed arbitrary code on the server. In a cloud environment, this level of access is catastrophic; researchers found that shared infrastructure on the Google Cloud Platform (GCP) could allow an attacker to jump from one compromised tenant to access the service account credentials and data of other organizations.
A second vulnerability, tracked as CVE-2025-12743, involves the exfiltration of Looker’s internal database. This database contains sensitive user credentials, configurations, and secrets that are intended to be hidden from users. According to Help Net Security, researchers identified the internal database connection name through system logs and used error-based SQL injection to bypass access controls. By intentionally triggering specific error messages that contained fragments of the database's contents, an attacker could systematically dump the entire internal management repository, providing a roadmap for further lateral movement within a victim's network.
The discovery of these vulnerabilities underscores a growing architectural risk in the business intelligence (BI) sector. As platforms like Looker become more integrated with diverse data sources—often connecting to 20 to 50 different databases ranging from BigQuery to MySQL—they become single points of failure. The ability to execute code on a BI server is not merely an application-level breach; it is a gateway to the entire data estate of an enterprise. The cross-tenant implications are particularly concerning for the SaaS industry, as they challenge the fundamental security assumption of logical isolation in multi-tenant cloud environments.
While Google responded rapidly by patching its managed Cloud Looker services, the burden of security now shifts to organizations running self-hosted or on-premises versions. According to Tenable researcher Liv Matan, patching these systems is often delayed by technical debt, rigid change management windows, and the fear of disrupting critical business dashboards. This "patching gap" creates a window of opportunity for threat actors to exploit known vulnerabilities in organizations that lack a comprehensive asset inventory or robust DevOps pipelines. Data from industry analysts suggests that self-hosted deployments often lag behind cloud-native versions in security updates by an average of three to six months.
Looking forward, the "LookOut" vulnerabilities will likely prompt a re-evaluation of how BI tools handle administrative secrets and internal configurations. We expect to see a shift toward "Zero Trust" architectures for data analytics, where the BI layer is strictly isolated from the underlying infrastructure and service account credentials. Furthermore, U.S. President Trump’s administration has recently emphasized the protection of critical data infrastructure, and this incident may accelerate federal requirements for enhanced auditing of third-party data modeling tools used by government contractors and essential services.
For the 60,000 organizations relying on Looker, the immediate priority is manual remediation. Google has released security bulletin GCP-2025-052, urging self-hosted users to update to versions 25.12.30+, 25.10.54+, or higher. Beyond patching, security teams must implement the principle of least privilege, ensuring that Looker service accounts have only the minimum necessary access to external data warehouses. As cyber-espionage groups increasingly target data aggregation points, the security of the "central nervous system" of corporate intelligence will remain a primary battleground in 2026.
Explore more exclusive insights at nextfin.ai.
