CVE-2025-12741
📋 TL;DR
A Looker user with Developer role can exploit a Denodo driver vulnerability by manipulating LookML to execute malicious commands. This affects both Looker-hosted (already mitigated) and Self-hosted instances, requiring immediate patching for self-hosted deployments.
💻 Affected Systems
- Looker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Unauthorized database access, data manipulation, or privilege escalation within the Looker environment.
If Mitigated
Limited impact if proper role-based access controls restrict Developer privileges and network segmentation is in place.
🎯 Exploit Status
Requires authenticated user with Developer role and knowledge of LookML manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, 25.14+
Vendor Advisory: https://cloud.google.com/support/bulletins#gcp-2025-052
Restart Required: Yes
Instructions:
1. Download patched version from https://download.looker.com/ 2. Backup current installation 3. Install patched version 4. Restart Looker services
🔧 Temporary Workarounds
Restrict Developer Role Access
allTemporarily remove Developer role from users who don't absolutely need it
Disable Denodo Driver
allRemove or disable Denodo database connections if not required
🧯 If You Can't Patch
- Implement strict role-based access control to limit Developer role assignments
- Monitor for suspicious LookML modifications and database connection activities
🔍 How to Verify
Check if Vulnerable:
Check Looker version against vulnerable versions list. Review user roles for Developer privileges.Check Version:
Check Looker admin panel or run appropriate version command for your installation methodVerify Fix Applied:
Confirm installed version matches patched versions: 24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, or 25.14+📡 Detection & Monitoring
Log Indicators:
- Unusual LookML modifications
- Suspicious database connection attempts via Denodo driver
- Unexpected command execution patterns
Network Indicators:
- Anomalous outbound connections from Looker server
- Unexpected database queries
SIEM Query:
source="looker" AND (event_type="lookml_modification" OR driver="denodo") AND user_role="developer"