CVE-2025-12472 is a race condition vulnerability classified under CWE-362, found in Google Cloud Looker, a business intelligence and data analytics platform. The flaw arises from improper synchronization during the deletion of Git directories within LookML projects. Specifically, an attacker with the Looker Developer role can manipulate project files to trigger a timing window where concurrent operations on shared resources are unsafely handled. This race condition allows the attacker to execute arbitrary commands on the Looker instance, potentially leading to full system compromise. Both Looker-hosted and self-hosted instances were initially vulnerable; however, Google has already mitigated the issue in Looker-hosted environments. Self-hosted users must upgrade to patched versions (24.12.103+, 24.18.195+, 25.0.72+, 25.6.60+, 25.8.42+, or 25.10.22+) available from the official Looker download page. The vulnerability has a CVSS 4.0 score of 7.1, indicating high severity with network attack vector, high complexity, and requiring privileges and user interaction. Exploitation could allow attackers to bypass normal access controls and execute arbitrary commands, threatening the confidentiality, integrity, and availability of the affected systems. No public exploits have been reported yet, but the risk remains significant for unpatched self-hosted deployments.

For European organizations, this vulnerability poses a significant risk especially for those using self-hosted Looker instances to manage sensitive business intelligence data. Successful exploitation could allow attackers to execute arbitrary commands on the Looker server, potentially leading to data theft, unauthorized data manipulation, or disruption of analytics services. This could impact decision-making processes, expose confidential business data, and cause operational downtime. Given Looker's role in data analytics, compromised instances could also serve as pivot points for further network intrusion. The requirement for a Looker Developer role to exploit the vulnerability somewhat limits the attack surface but insider threats or compromised developer accounts increase risk. Organizations in sectors such as finance, manufacturing, retail, and government, which rely heavily on data analytics, could face severe reputational and regulatory consequences if exploited.

European organizations operating self-hosted Looker instances must urgently upgrade to the patched versions listed by Google (24.12.103+, 24.18.195+, 25.0.72+, 25.6.60+, 25.8.42+, or 25.10.22+). Additionally, organizations should enforce strict access controls and monitoring on Looker Developer roles to reduce the risk of insider threats or compromised credentials. Implementing multi-factor authentication (MFA) for developer accounts and auditing LookML project changes can help detect suspicious activity. Network segmentation should be applied to isolate Looker servers from critical infrastructure. Regularly reviewing and restricting permissions to the minimum necessary for developers will limit potential exploitation. Finally, organizations should maintain up-to-date backups of Looker configurations and data to enable recovery in case of compromise.