CVE-2025-12405
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GoogleCloud

Description
An improper privilege management vulnerability was found in Looker Studio.Β It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report. This vulnerability was patched on 21 July 2025, and no customer action is needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12405
EUVD
EUVD-2025-44043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google looker_studio 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Looker Studio allows a user with only report view access to copy a report and execute arbitrary SQL commands on the connected database. This happens because the copied report retains the original owner's stored database credentials, enabling the attacker to bypass permission restrictions and run malicious SQL queries through the 'Custom Query' feature on JDBC-based connectors like PostgreSQL. [1]

Impact Analysis

An attacker exploiting this vulnerability can insert, delete, or exfiltrate data from your database without having direct access to credentials. This can lead to unauthorized data manipulation, data loss, or data theft, potentially compromising the integrity and confidentiality of your database. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual report copying activities by users with only view permissions in Looker Studio. Specifically, detection involves checking if a user with report view access copies a report and then uses the 'Custom Query' feature to execute SQL commands on the data source. A proof of concept involves steps such as accessing a victim's report with view-only rights, copying the report, managing and editing the PostgreSQL data source, and running malicious SQL queries. While no specific commands are provided, monitoring Looker Studio logs for report copy events by view-only users and subsequent custom query executions could help detect exploitation attempts. [1]

Mitigation Strategies

The vulnerability was patched by Google and the fix was deployed to production by August 2025. No customer action is needed as per the official description. Immediate mitigation involves ensuring that your Looker Studio environment is updated with the latest patches released after July 21, 2025. Additionally, monitoring user activities for suspicious report copying and custom query executions can help mitigate risk until the patch is confirmed applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart