CVE-2025-12742 is an OS command injection vulnerability classified under CWE-78 found in Google Cloud Looker, specifically in the handling of Teradata driver parameters. The flaw allows a user with Developer role permissions to inject malicious OS commands due to improper neutralization of special elements in input parameters. This vulnerability affects both Looker-hosted and self-hosted instances; however, Google has already mitigated the issue in Looker-hosted environments, requiring no user intervention. Self-hosted instances remain vulnerable until upgraded to patched versions starting from 24.12.108 and later. The vulnerability's CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H) indicates network attack vector, high attack complexity, partial attack prerequisites, and high impact on confidentiality, integrity, and availability. Exploitation requires authenticated users with Developer role privileges, which limits the attack surface but still poses a serious risk if such credentials are compromised or misused. The vulnerability could lead to arbitrary command execution on the underlying OS, potentially allowing attackers to escalate privileges, exfiltrate sensitive data, or disrupt services. No public exploits have been reported yet, but the presence of this vulnerability in critical analytics infrastructure warrants immediate attention. The issue was reserved and published in November 2025, reflecting recent discovery and disclosure.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on self-hosted Looker instances for business intelligence and data analytics. Successful exploitation could lead to unauthorized command execution on servers hosting Looker, risking data confidentiality breaches, integrity violations, and service availability disruptions. This could result in exposure of sensitive business data, manipulation or deletion of analytics results, and potential lateral movement within corporate networks. Industries with stringent data protection requirements, such as finance, healthcare, and telecommunications, could face regulatory repercussions under GDPR if data is compromised. Additionally, operational disruptions could affect decision-making processes reliant on Looker dashboards and reports. Since exploitation requires Developer role access, insider threats or compromised credentials pose a critical risk vector. The lack of user interaction needed for exploitation increases the threat level once credentials are obtained. Overall, the vulnerability threatens core analytics infrastructure, which is increasingly strategic for European enterprises’ digital operations and competitive advantage.

European organizations using self-hosted Looker must prioritize upgrading to the patched versions listed (24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, 25.14+) immediately to remediate this vulnerability. Beyond patching, organizations should audit and restrict Developer role assignments to the minimum necessary personnel, implementing strict role-based access controls and monitoring for anomalous activity. Employing multi-factor authentication (MFA) for all privileged accounts reduces the risk of credential compromise. Network segmentation should isolate Looker servers from broader enterprise networks to limit lateral movement in case of exploitation. Regularly review and sanitize all Teradata driver parameters and inputs to Looker, applying input validation and sanitization best practices where possible. Implement comprehensive logging and alerting on command execution attempts and unusual Looker activity. Conduct penetration testing and vulnerability assessments post-patching to verify remediation effectiveness. Finally, maintain up-to-date incident response plans tailored to analytics platform compromises.