CVE-2025-12155 is a command injection vulnerability classified under CWE-77, discovered in Google Cloud Looker, a business intelligence and data analytics platform. The flaw stems from improper neutralization of special elements in file paths, specifically a directory traversal issue that occurs when a user is deleted on the host system. An attacker possessing Developer-level permissions can exploit this vulnerability to execute arbitrary shell commands on the underlying host, potentially leading to full system compromise. The vulnerability affects both Looker-hosted and self-hosted instances; however, Google has already mitigated the risk in Looker-hosted environments, requiring no user intervention. Self-hosted instances remain vulnerable unless upgraded to patched versions 24.12.100+, 24.18.192+, 25.0.69+, 25.6.57+, 25.8.39+, or 25.10.22+. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial authentication required (AT:P), high privileges required (PR:H), and user interaction needed (UI:A). The vulnerability impacts confidentiality, integrity, and availability at a high level, with scope limited to the vulnerable instance. No public exploits have been reported yet, but the potential for severe damage exists if exploited. The vulnerability was reserved on 2025-10-24 and published on 2025-11-10.

For European organizations, the impact of CVE-2025-12155 can be severe, especially for those relying on self-hosted Looker deployments for critical business intelligence and data analytics. Successful exploitation could allow attackers to execute arbitrary commands on the host system, leading to data theft, unauthorized data manipulation, service disruption, or lateral movement within the network. Confidential business data and analytics could be exposed or corrupted, undermining decision-making processes. The requirement for Developer permissions limits the attack surface but does not eliminate risk, as insider threats or compromised developer accounts could be leveraged. Given Looker's role in aggregating and analyzing sensitive data, the vulnerability poses a significant risk to data confidentiality and system integrity. Disruption of Looker services could also affect operational continuity. The lack of known exploits currently reduces immediate risk but does not preclude future attacks, emphasizing the need for prompt remediation.

European organizations using self-hosted Looker instances should immediately upgrade to one of the patched versions: 24.12.100+, 24.18.192+, 25.0.69+, 25.6.57+, 25.8.39+, or 25.10.22+. Prior to upgrading, conduct a thorough audit of Developer permissions to ensure only trusted personnel have such access, minimizing the risk of insider exploitation. Implement strict access controls and monitor developer activities for suspicious behavior. Employ host-based intrusion detection systems (HIDS) to detect anomalous command executions. Regularly review and sanitize user management workflows to prevent injection opportunities. Network segmentation can limit the impact of a compromised Looker host. Additionally, maintain up-to-date backups of Looker configurations and data to enable rapid recovery if compromise occurs. Finally, stay informed about any emerging exploit reports or additional patches from Google Cloud.