CVE-2025-12742
📋 TL;DR
A Looker user with Developer role can execute arbitrary commands on the server due to insecure processing of Teradata driver parameters. This affects both Looker-hosted (already mitigated) and self-hosted instances. Self-hosted deployments must upgrade immediately.
💻 Affected Systems
- Looker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands with the privileges of the Looker service account, potentially leading to data exfiltration, lateral movement, or complete system takeover.
Likely Case
Developer role user could execute limited commands to access sensitive data, modify configurations, or disrupt service availability.
If Mitigated
With proper role-based access controls limiting Developer roles to trusted users only, impact is reduced to authorized personnel misuse.
🎯 Exploit Status
Requires Developer role access. Teradata driver parameter manipulation leads to command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, 25.14+
Vendor Advisory: https://cloud.google.com/support/bulletins#gcp-2025-052
Restart Required: Yes
Instructions:
1. Download patched version from https://download.looker.com/ 2. Backup current installation 3. Stop Looker service 4. Install patched version 5. Restart Looker service 6. Verify version is patched
🔧 Temporary Workarounds
Restrict Developer Role Access
allTemporarily remove Developer role from all users except absolutely necessary administrators
# Use Looker Admin panel to modify user roles
Disable Teradata Connections
allBlock or disable Teradata database connections if not required
# Modify Looker database connection settings to remove Teradata
🧯 If You Can't Patch
- Immediately audit and restrict all users with Developer role to minimum necessary personnel
- Implement network segmentation to isolate Looker instances from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check Looker version against vulnerable versions list. If version is below patched versions and uses Teradata connections, system is vulnerable.Check Version:
# Check Looker version via admin interface or configuration filesVerify Fix Applied:
Verify Looker version is at or above: 24.12.108, 24.18.200, 25.0.78, 25.6.65, 25.8.47, 25.12.10, or 25.14📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Teradata connection attempts with unusual parameters
- Looker service account executing unexpected commands
Network Indicators:
- Outbound connections from Looker server to unexpected destinations
- Command and control traffic patterns
SIEM Query:
source="looker" AND (event="command_execution" OR event="teradata_connection")