CVE-2025-9571 is a remote code execution vulnerability identified in Google Cloud Data Fusion, specifically within its core AppFabric component. The root cause is the deserialization of untrusted data (CWE-502), which allows an attacker who has permission to upload artifacts to execute arbitrary code remotely. This vulnerability does not require user interaction or elevated privileges beyond artifact upload rights, making it relatively easy to exploit. Successful exploitation could lead to complete compromise of the Data Fusion instance, enabling attackers to access sensitive data, alter or sabotage data pipelines, and probe the underlying infrastructure for further attacks. The vulnerability affects all versions prior to CDAP 6.10.6 and 6.11.1, which have incorporated fixes to prevent unsafe deserialization. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no privileges required beyond upload permissions, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the potential damage and ease of exploitation necessitate urgent patching. The vulnerability was reserved in August 2025 and published in December 2025, indicating recent discovery and disclosure. Organizations using Google Cloud Data Fusion should immediately upgrade to patched versions available on the official CDAP GitHub repository to mitigate this threat.

For European organizations, this vulnerability poses a significant risk to data integrity, confidentiality, and availability within cloud data integration workflows. Organizations in finance, healthcare, manufacturing, and critical infrastructure sectors that rely on Google Cloud Data Fusion for data pipeline orchestration could face unauthorized data exposure, manipulation, or service disruption. Compromise of Data Fusion instances could also serve as a foothold for lateral movement within cloud environments, potentially exposing other sensitive systems and data. Given the central role of data pipelines in analytics and operational decision-making, disruption or tampering could lead to financial losses, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The vulnerability’s ease of exploitation without user interaction increases the urgency for European enterprises to act swiftly. Additionally, attackers could leverage this vulnerability for espionage or sabotage, especially in geopolitically sensitive sectors. The lack of known exploits in the wild provides a window for proactive defense, but the high CVSS score underscores the critical nature of the threat.

1. Immediately upgrade all Google Cloud Data Fusion instances to CDAP versions 6.10.6, 6.11.1, or later, as these contain patches that address the deserialization vulnerability. 2. Restrict artifact upload permissions strictly to trusted administrators and implement strong access controls and auditing around these privileges. 3. Monitor Data Fusion logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected artifact uploads or anomalous code execution patterns. 4. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious behaviors within cloud workloads. 5. Conduct regular security assessments and penetration testing focused on cloud data integration components to identify potential weaknesses. 6. Implement network segmentation and zero-trust principles within cloud environments to limit lateral movement if compromise occurs. 7. Maintain an incident response plan that includes scenarios involving cloud service compromise and ensure teams are trained accordingly. 8. Stay informed on updates from Google Cloud and the CDAP project for any further advisories or patches related to this vulnerability.