CVE-2025-12472 is a race condition vulnerability classified under CWE-362 affecting Google Cloud Looker, a business intelligence and data analytics platform. The flaw arises from improper synchronization when deleting Git directories within LookML projects. An attacker with the Looker Developer role can manipulate project files to trigger a timing window during the deletion process, allowing arbitrary command execution on the Looker instance. This can lead to full compromise of the Looker server environment, potentially exposing sensitive data or enabling further lateral movement. Both Looker-hosted and self-hosted deployments were vulnerable; however, Google has already mitigated the issue for Looker-hosted instances. Self-hosted users must upgrade to patched versions listed by Google to remediate the vulnerability. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), required privileges (PR:H), user interaction (UI:A), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:H). No public exploits have been reported yet, but the vulnerability's nature and access requirements make it a significant risk for organizations with self-hosted Looker deployments, especially those with multiple developers having elevated permissions.

For European organizations, the impact of CVE-2025-12472 can be severe, particularly for those relying on self-hosted Looker instances for critical business intelligence and analytics functions. Exploitation could lead to arbitrary command execution on the Looker server, resulting in data breaches, unauthorized data manipulation, or disruption of analytics services. This could compromise sensitive business data, violate data protection regulations such as GDPR, and damage organizational reputation. The requirement for a developer role to exploit the vulnerability limits exposure but does not eliminate risk, especially in larger organizations with multiple developers or insufficient role management. Additionally, the ability to execute arbitrary commands could facilitate further attacks within the network, increasing the potential for widespread impact. The fact that Looker-hosted instances are already mitigated reduces risk for cloud customers, but self-hosted deployments remain vulnerable until patched.

European organizations using self-hosted Looker instances must prioritize upgrading to the patched versions listed by Google (24.12.103+, 24.18.195+, 25.0.72+, 25.6.60+, 25.8.42+, or 25.10.22+). Beyond patching, organizations should implement strict role-based access control (RBAC) to limit the number of users with the Looker Developer role, reducing the attack surface. Regular audits of developer activities and Git operations within Looker should be conducted to detect anomalous behavior indicative of exploitation attempts. Network segmentation and monitoring of Looker server communications can help detect and contain potential breaches. Employing application-layer firewalls or endpoint detection and response (EDR) solutions on Looker servers can provide additional layers of defense. Finally, organizations should ensure that incident response plans include scenarios involving Looker compromise to enable rapid containment and recovery.