CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

LeakyLooker Vulnerabilities in Google Looker Studio

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Nine cross-tenant vulnerabilities, collectively named LeakyLooker, were discovered in Google Looker Studio. These flaws could allow attackers to execute arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. The vulnerabilities affected connectors to multiple cloud services, including BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Two distinct attack paths were identified: 0-click attacks targeting owner credentials and 1-click attacks targeting viewer credentials. The vulnerabilities were disclosed responsibly and have been addressed by Google. No evidence of exploitation in the wild has been found.

Timeline

  1. 10.03.2026 15:20 2 articles · 2d ago

    LeakyLooker Vulnerabilities Disclosed and Patched

    Nine cross-tenant vulnerabilities in Google Looker Studio, collectively named LeakyLooker, were disclosed in June 2025. These flaws could enable attackers to execute arbitrary SQL queries and exfiltrate sensitive data within Google Cloud environments. The vulnerabilities affected connectors to multiple cloud services, including BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Two distinct attack paths were identified: 0-click attacks targeting owner credentials and 1-click attacks targeting viewer credentials. The vulnerabilities have been addressed by Google, and there is no evidence of exploitation in the wild.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Vulnerabilities in Google Looker Enable Cross-Tenant RCE and Data Exfiltration

Researchers discovered two critical vulnerabilities in Google Looker, a business intelligence and data analytics platform used by over 60,000 companies. The first vulnerability, tracked as CVE-2025-12743, allows SQL injection to access sensitive internal databases containing user lists, secrets, and configurations. The second vulnerability enables remote code execution (RCE) on Looker servers, potentially allowing attackers to access highly sensitive data and perform lateral movement within compromised environments. In cloud deployments, this RCE could also facilitate access to other tenants' cloud environments and data. Google has patched these vulnerabilities, but organizations using on-premises deployments must manually update to secure versions, facing challenges such as system downtime, compatibility testing, and shadow IT issues.

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and Triofox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw affects nine organizations so far. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

Open in new tab

Google Gemini AI Vulnerabilities Allowing Prompt Injection and Data Exfiltration

Researchers disclosed multiple vulnerabilities in Google's Gemini AI assistant that could have exposed users to privacy risks and data theft. The flaws, collectively named the Gemini Trifecta, affected Gemini Cloud Assist, the Search Personalization Model, and the Browsing Tool. These vulnerabilities allowed for prompt injection attacks, search-injection attacks, and data exfiltration. Google has since patched the issues and implemented additional security measures. Additionally, a zero-click vulnerability in Gemini Enterprise, dubbed 'GeminiJack', was discovered in June 2025, allowing attackers to exfiltrate corporate data via indirect prompt injection. Google addressed this flaw by separating Vertex AI Search from Gemini Enterprise and updating their interaction with retrieval and indexing systems. A new prompt injection flaw in Google Gemini allowed attackers to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The flaw enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. The attack involved a malicious payload hidden within a standard calendar invite, which was activated when a user asked Gemini about their schedule. The flaw allowed Gemini to create a new calendar event and write a full summary of the target user's private meetings in the event's description. The issue was addressed following responsible disclosure, highlighting the need for evaluating large language models across key safety and security dimensions. Additionally, a high-severity flaw in Google's implementation of Gemini AI in the Chrome browser, tracked as CVE-2026-0628, could allow attackers to escalate privileges, violate user privacy, and access sensitive system resources. The flaw was discovered by researchers from Palo Alto Networks' Unit 42 and was patched by Google in early January. The vulnerabilities highlight the potential risks of AI tools being used as attack vectors rather than just targets.

Open in new tab