CVE-2025-12405 describes an improper privilege management vulnerability discovered in Looker Studio. This flaw allows a user with report view access to potentially execute arbitrary SQL against the underlying data source database by copying a report and leveraging stored credentials. The vulnerability impacts all JDBC-based connectors within Looker Studio and was resolved on July 21, 2025.
The primary impact of CVE-2025-12405 is the potential for unauthorized data access and manipulation within the data source database. An attacker could craft a malicious report copy and execute SQL queries to extract sensitive information, modify existing data, or even delete records. The scope of the attack is limited to the data accessible through the JDBC connector and the permissions granted to the Looker Studio user. Successful exploitation could lead to data breaches, compliance violations, and disruption of business operations. While the vulnerability requires report view access, the potential for data exfiltration makes it a significant concern.
CVE-2025-12405 was publicly disclosed on November 10, 2025. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept code is not currently available, but the nature of the vulnerability (SQL injection) suggests that it could be relatively easy to exploit once a suitable POC is developed.
Organizations using Looker Studio with JDBC-based connectors are at risk, particularly those with sensitive data stored in the connected databases. Environments where report view access is granted broadly, or where JDBC connectors are configured with overly permissive credentials, are at higher risk.
disclosure
patch
漏洞利用状态
EPSS
0.07% (22% 百分位)
CISA SSVC
The vulnerability was patched on July 21, 2025, so upgrading to version 2025-07-21 or later is the primary mitigation. Since no customer action is explicitly required according to the vendor, it's likely that the patch is automatically applied. However, it's recommended to verify the Looker Studio version to ensure it's updated. Reviewing report access permissions and limiting access to only necessary users can further reduce the attack surface. Consider implementing data masking or row-level security within the data source database to restrict the data accessible even if SQL injection is successful.
Google ha parcheado esta vulnerabilidad. No se requiere ninguna acción por parte del usuario.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12405 is a vulnerability in Looker Studio where a report viewer can execute arbitrary SQL on the data source database due to stored credentials. It affects JDBC-based connectors.
If you use Looker Studio with JDBC-based connectors and are running a version prior to 2025-07-21, you may be affected. However, the vendor states no customer action is needed.
Upgrade to version 2025-07-21 or later to address the vulnerability. Verify the version to ensure the patch has been applied.
There is currently no public information indicating active exploitation of CVE-2025-12405.
Refer to the official Looker Studio security advisory for details on CVE-2025-12405 and related information.