Critical Google Looker Vulnerabilities Allow Full System

Executive Summary

Security researchers at Tenable have disclosed two critical vulnerabilities in Google Looker, collectively referred to as "LookOut", that could allow attackers to achieve full system takeover. With over 60,000 organizations in 195 countries using the business intelligence platform, the potential impact is severe.

CVSS Score: 9.8 (Critical)

Vulnerability Details

Remote Code Execution Chain

The most critical discovery is an RCE chain that allows attackers to take complete control of a Looker server by executing arbitrary commands remotely.

Attack Vector:

Unauthenticated remote exploitation
No user interaction required
Network-accessible instances at risk

Impact:

Complete system compromise
Access to sensitive corporate data
Ability to pivot into internal networks
Potential cross-tenant access in cloud deployments

Technical Analysis

The vulnerability chain exploits weaknesses in Looker's authentication and data processing mechanisms:

Attack Flow:
1. Attacker identifies exposed Looker instance
2. Crafted requests bypass authentication
3. Malicious payload triggers code execution
4. Attacker gains shell access with service privileges
5. Lateral movement into connected systems

Affected Systems

Deployment Type	Risk Level	Notes
Self-hosted Looker	Critical	Direct exploitation possible
Google Cloud Looker	High	Potential cross-tenant access
Air-gapped instances	Lower	Still vulnerable if accessible

Version Information

All self-hosted Looker versions prior to the security patch
Cloud instances automatically updated by Google

Indicators of Compromise

Monitor for the following suspicious activity:

# Unusual Looker API requests
grep -E "POST.*/api/internal/.*exec" /var/log/looker/access.log
 
# Unexpected process spawning
ps aux | grep -E "looker.*sh|looker.*bash"
 
# Network connections to unknown destinations
netstat -an | grep looker | grep ESTABLISHED

Log Signatures

# Potential exploitation attempts
[WARN] Unexpected content-type in API request
[ERROR] Authentication bypass detected
[CRITICAL] Unauthorized command execution attempt

Mitigation Steps

Immediate Actions

Apply Security Patches
- Update to the latest Looker version immediately
- Google Cloud instances are patched automatically

Network Isolation

# Restrict Looker access to internal networks only
iptables -A INPUT -p tcp --dport 9999 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j DROP

Enable WAF Rules
- Block suspicious API patterns
- Rate limit authentication attempts
- Monitor for anomalous request sizes

Long-term Remediation

Implement network segmentation for BI tools
Enable comprehensive audit logging
Deploy EDR on Looker servers
Regular vulnerability scanning

Detection Rules

Sigma Rule

title: Google Looker Exploitation Attempt
status: experimental
logsource:
  product: looker
  service: access
detection:
  selection:
    http.request.method: POST
    url.path|contains:
      - '/api/internal/'
      - '/api/3.1/run_inline_query'
  condition: selection
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.12743

YARA Rule

rule Looker_Exploitation_Payload {
    meta:
        description = "Detects LookOut exploitation payloads"
        severity = "critical"
        cve = "CVE-2025-12743"
    strings:
        $cmd1 = "exec(" ascii
        $cmd2 = "system(" ascii
        $cmd3 = "/bin/sh" ascii
        $api = "/api/internal/" ascii
    condition:
        $api and any of ($cmd*)
}

Timeline

Date	Event
2025-12-15	Vulnerability discovered by Tenable
2026-01-10	Google notified via responsible disclosure
2026-01-28	Patch developed and tested
2026-02-04	Public disclosure
2026-02-11	Recommended patch deadline

References

Executive Summary

CVSS Score: 9.8 (Critical)

Vulnerability Details

Remote Code Execution Chain

The most critical discovery is an RCE chain that allows attackers to take complete control of a Looker server by executing arbitrary commands remotely.

Attack Vector:

Unauthenticated remote exploitation
No user interaction required
Network-accessible instances at risk

Impact:

Complete system compromise
Access to sensitive corporate data
Ability to pivot into internal networks
Potential cross-tenant access in cloud deployments

Technical Analysis

The vulnerability chain exploits weaknesses in Looker's authentication and data processing mechanisms:

Attack Flow:
1. Attacker identifies exposed Looker instance
2. Crafted requests bypass authentication
3. Malicious payload triggers code execution
4. Attacker gains shell access with service privileges
5. Lateral movement into connected systems

Affected Systems

Deployment Type	Risk Level	Notes
Self-hosted Looker	Critical	Direct exploitation possible
Google Cloud Looker	High	Potential cross-tenant access
Air-gapped instances	Lower	Still vulnerable if accessible

Version Information

All self-hosted Looker versions prior to the security patch
Cloud instances automatically updated by Google

Indicators of Compromise

Monitor for the following suspicious activity:

# Unusual Looker API requests
grep -E "POST.*/api/internal/.*exec" /var/log/looker/access.log
 
# Unexpected process spawning
ps aux | grep -E "looker.*sh|looker.*bash"
 
# Network connections to unknown destinations
netstat -an | grep looker | grep ESTABLISHED

Log Signatures

# Potential exploitation attempts
[WARN] Unexpected content-type in API request
[ERROR] Authentication bypass detected
[CRITICAL] Unauthorized command execution attempt

Mitigation Steps

Immediate Actions

Apply Security Patches
- Update to the latest Looker version immediately
- Google Cloud instances are patched automatically

Network Isolation

# Restrict Looker access to internal networks only
iptables -A INPUT -p tcp --dport 9999 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j DROP

Enable WAF Rules
- Block suspicious API patterns
- Rate limit authentication attempts
- Monitor for anomalous request sizes

Long-term Remediation

Implement network segmentation for BI tools
Enable comprehensive audit logging
Deploy EDR on Looker servers
Regular vulnerability scanning

Detection Rules

Sigma Rule

title: Google Looker Exploitation Attempt
status: experimental
logsource:
  product: looker
  service: access
detection:
  selection:
    http.request.method: POST
    url.path|contains:
      - '/api/internal/'
      - '/api/3.1/run_inline_query'
  condition: selection
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.12743

YARA Rule

rule Looker_Exploitation_Payload {
    meta:
        description = "Detects LookOut exploitation payloads"
        severity = "critical"
        cve = "CVE-2025-12743"
    strings:
        $cmd1 = "exec(" ascii
        $cmd2 = "system(" ascii
        $cmd3 = "/bin/sh" ascii
        $api = "/api/internal/" ascii
    condition:
        $api and any of ($cmd*)
}

Timeline

Date	Event
2025-12-15	Vulnerability discovered by Tenable
2026-01-10	Google notified via responsible disclosure
2026-01-28	Patch developed and tested
2026-02-04	Public disclosure
2026-02-11	Recommended patch deadline

Affected Products

Executive Summary

Vulnerability Details

Remote Code Execution Chain

Technical Analysis

Affected Systems

Version Information

Indicators of Compromise

Log Signatures

Mitigation Steps

Immediate Actions

Long-term Remediation

Detection Rules

Sigma Rule

YARA Rule

Timeline

References

Related Articles

Affected Products

Executive Summary

Vulnerability Details

Remote Code Execution Chain

Technical Analysis

Affected Systems

Version Information

Indicators of Compromise

Log Signatures

Mitigation Steps

Immediate Actions

Long-term Remediation

Detection Rules

Sigma Rule

YARA Rule

Timeline

References

Related Articles