CVE-2025-12155 is a command injection vulnerability classified under CWE-77, discovered in Google Cloud Looker, a data analytics and business intelligence platform. The flaw stems from improper neutralization of special elements in file paths, specifically a directory traversal issue triggered during the deletion of a user on the host system. An attacker possessing Developer-level permissions within Looker can exploit this vulnerability to execute arbitrary shell commands on the underlying host operating system. This can lead to unauthorized system control, data exfiltration, or further lateral movement within the network. The vulnerability affects both Looker-hosted and self-hosted deployments; however, Google has already mitigated the issue for Looker-hosted instances, requiring no user action. Self-hosted instances remain vulnerable unless upgraded to patched versions starting from 24.12.100 and above, including subsequent releases up to 25.10.22. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial user interaction, and required privileges at the high level, with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the nature of the vulnerability and required permissions suggest that insider threats or compromised developer accounts could leverage this flaw effectively. The vulnerability was reserved on October 24, 2025, and published on November 10, 2025, reflecting a recent disclosure.

For European organizations, this vulnerability poses a significant risk, particularly for those using self-hosted Looker instances for critical business intelligence and data analytics operations. Exploitation could lead to full system compromise, unauthorized access to sensitive data, disruption of analytics services, and potential lateral movement within corporate networks. The impact on confidentiality, integrity, and availability is high, potentially affecting compliance with GDPR and other data protection regulations. Organizations in finance, healthcare, manufacturing, and government sectors that rely heavily on Looker for data-driven decision-making are especially vulnerable. Additionally, the requirement for Developer permissions means that insider threats or compromised developer accounts could be leveraged to exploit this vulnerability, increasing the risk profile. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score underscores the urgency of patching to prevent future attacks.

European organizations running self-hosted Looker instances must prioritize upgrading to the patched versions listed (24.12.100+, 24.18.192+, 25.0.69+, 25.6.57+, 25.8.39+, 25.10.22+). Beyond patching, organizations should audit and restrict Developer permissions to only trusted personnel, implement strict access controls and monitoring for suspicious activities related to user deletions, and enforce multi-factor authentication for all privileged accounts. Network segmentation should isolate Looker servers from critical infrastructure to limit lateral movement in case of compromise. Regularly review logs for anomalous command executions or unusual user deletion events. Employ host-based intrusion detection systems (HIDS) to detect unauthorized shell command executions. Finally, conduct security awareness training for developers and administrators about the risks of privilege misuse and the importance of timely patching.