CVE-2025-9571
📋 TL;DR
A remote code execution vulnerability in Google Cloud Data Fusion allows authenticated users with artifact upload permissions to execute arbitrary code in the AppFabric component. This affects organizations using vulnerable versions of CDAP/Data Fusion for data pipeline management. Attackers could gain control over Data Fusion instances and access sensitive data.
💻 Affected Systems
- Google Cloud Data Fusion
- CDAP (Cask Data Application Platform)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Data Fusion instance leading to unauthorized access to all managed data, modification of data pipelines, lateral movement to connected systems, and persistent backdoor installation.
Likely Case
Unauthorized access to sensitive data within Data Fusion pipelines, modification of data transformation logic, and potential credential theft from connected data sources.
If Mitigated
Limited impact due to strict access controls, network segmentation, and monitoring preventing successful exploitation even if vulnerability exists.
🎯 Exploit Status
Requires authenticated user with specific permissions; no public exploit available as of analysis
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CDAP 6.10.6+ or 6.11.1+
Vendor Advisory: https://docs.cloud.google.com/support/bulletins#gcp-2025-076
Restart Required: Yes
Instructions:
1. Backup current Data Fusion configurations. 2. Download patched version from https://github.com/cdapio/cdap-build/releases. 3. Stop Data Fusion services. 4. Apply update following CDAP upgrade documentation. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict Artifact Upload Permissions
allTemporarily remove artifact upload permissions from all non-essential users
# Use Google Cloud IAM to restrict Data Fusion artifact permissions
# gcloud iam roles update --project=PROJECT_ID --permissions=REMOVE:datafusion.artifacts.upload
Network Segmentation
allIsolate Data Fusion instances from sensitive data sources and production networks
# Configure firewall rules to restrict Data Fusion network access
# Use VPC Service Controls for additional isolation
🧯 If You Can't Patch
- Immediately restrict artifact upload permissions to minimal required users only
- Implement strict network segmentation and monitor all Data Fusion access logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check CDAP version via Data Fusion UI or API; versions before 6.10.6 or 6.11.1 are vulnerableCheck Version:
curl -X GET 'https://[DATA_FUSION_INSTANCE]/api/v3/system/version' or check in Data Fusion UIVerify Fix Applied:
Confirm version is 6.10.6+ or 6.11.1+ and test artifact upload functionality with restricted permissions📡 Detection & Monitoring
Log Indicators:
- Unusual artifact upload patterns
- Multiple failed upload attempts followed by success
- Unexpected process execution in AppFabric logs
- Changes to data pipeline configurations from unauthorized users
Network Indicators:
- Unusual outbound connections from Data Fusion instances
- Data exfiltration patterns from Data Fusion to external IPs
- Unexpected internal network scanning from Data Fusion
SIEM Query:
source="data_fusion" AND (event="artifact_upload" AND user NOT IN ["approved_users"]) OR (process_execution="unexpected" AND component="appfabric")