CVE-2025-12740
📋 TL;DR
A Looker vulnerability allows users with Developer roles to execute malicious commands by manipulating LookML when creating IBM DB2 database connections. This affects both Looker-hosted (already mitigated) and self-hosted instances. Attackers could potentially execute arbitrary commands on the Looker server.
💻 Affected Systems
- Looker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing arbitrary command execution on the Looker server, data exfiltration, lateral movement, and persistence.
Likely Case
Unauthorized database access, data manipulation, or limited command execution within the Looker environment.
If Mitigated
No impact if patched or if proper role-based access controls limit Developer role assignments.
🎯 Exploit Status
Requires authenticated Developer role and knowledge of LookML manipulation. No public exploit available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.0.93+, 25.6.84+, 25.12.42+, 25.14.50+, 25.16.44+
Vendor Advisory: https://cloud.google.com/support/bulletins#gcp-2025-052
Restart Required: Yes
Instructions:
1. Download patched version from https://download.looker.com/ 2. Backup current installation 3. Install patched version 4. Restart Looker services 5. Verify version is updated
🔧 Temporary Workarounds
Restrict Developer Role Access
allTemporarily remove Developer roles from users who don't absolutely need them
Disable IBM DB2 Connections
allBlock creation of new IBM DB2 database connections if not required
🧯 If You Can't Patch
- Implement strict role-based access control - only assign Developer roles to trusted users
- Monitor LookML changes and database connection creation for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if Looker version is below patched versions: 25.0.93, 25.6.84, 25.12.42, 25.14.50, 25.16.44Check Version:
Check Looker admin panel or run: looker --version (if CLI available)Verify Fix Applied:
Verify Looker version is at or above patched versions listed in fix_official.patch_version📡 Detection & Monitoring
Log Indicators:
- Unusual LookML modifications
- IBM DB2 connection creation attempts
- Command execution patterns in logs
Network Indicators:
- Unexpected outbound connections from Looker server
- Database connections to unauthorized systems
SIEM Query:
source="looker" AND (event="lookml_modification" OR event="db_connection_create") AND user.role="developer"