Two vulnerabilities called LookOut affecting Looker, from researchers at Tenable, could allow remote server takeover or theft of the platform’s internal management database. The platform is deployed by more than 60,000 organizations in 195 countries. A Google support bulletin said the vendor secured its managed cloud service.
KEY FACTS
- Incident Two vulnerabilities named LookOut
- Affected Looker installations used by 60,000+ organizations in 195 countries
- Impact Remote code execution that can yield full server takeover
- Mitigation Managed instances secured by vendor but self-hosted instances require manual patches
The most critical issue is an RCE chain that can run arbitrary commands on a Looker server, enabling an attacker to steal secrets, manipulate data, or pivot into internal networks. In cloud deployments this behavior could permit cross-tenant access.
The second flaw allows theft of Looker’s internal management database by tricking the system into connecting to its own private management endpoint and using a data extraction technique to download user credentials and configuration secrets.
According to the bulletin, the vendor has secured its managed cloud service. Organizations that host Looker on private servers must apply patches manually. Recommended updates include versions 25.12.30+, 25.10.54+, 25.6.79+, 25.0.89+ and 24.18.209+. Releases 25.14 and above are not affected.
Administrators should inspect project folders for unexpected files in .git/hooks, especially scripts named pre-push, post-commit, or applypatch-msg. Application logs should be checked for unusual SQL errors or patterns consistent with error-based SQL injection targeting internal connections such as looker__ilooker.
WHY IT MATTERS
Looker often serves as a central system for sensitive corporate data so successful exploitation can expose credentials and configuration secrets, permit data manipulation, and enable further internal compromise.