Security researchers have uncovered serious vulnerabilities in Google Looker that could allow attackers to take over self-hosted installations of the widely used business intelligence platform. The flaws — collectively tracked as “LookOut” — have heightened concerns in the enterprise IT and cybersecurity communities, particularly among organizations running their own on-premises or private cloud instances.

What’s at Stake

Looker, a data analytics and visualization platform acquired by Google and integrated with its cloud ecosystem, is used by tens of thousands of organizations worldwide. Researchers at Tenable found two high-risk issues that together can lead to full system compromise.

The first vulnerability chain enables remote code execution (RCE) — meaning an attacker could run arbitrary commands on the server hosting Looker. This kind of access effectively grants control of the application and underlying system, allowing malicious actors to steal sensitive data, manipulate dashboards, or move laterally into other parts of the corporate network.

The second flaw — officially cataloged as CVE-2025-12743 — targets Looker’s internal management database. By abusing an internal connection interface, an attacker with certain permissions could trick Looker into disclosing sensitive credentials and configuration secrets stored in its database.

Why Self-Hosted Users Are Particularly Vulnerable

Google has already rolled out patches for its managed Looker service running on Google Cloud. However, many organizations run Looker on private infrastructure — whether for regulatory reasons, internal control, or performance needs. These self-hosted deployments remain exposed until administrators manually apply the updated software versions.

Unlike cloud services where patches can be pushed centrally, self-hosted environments depend on the organization’s internal DevOps and security teams to track updates and apply fixes — a process that can lag behind, especially in large enterprises with complex approval cycles.

Recommendations for Administrators

To mitigate these risks, Tenable and other security analysts urge organizations with self-hosted Looker instances to:

• Update Immediately — Install the patched versions of Looker (e.g., releases 25.12.30+, 25.10.54+, 25.6.79+, 25.0.89+, and 24.18.209+). Versions 25.14 and above include fixes and are not impacted by the LookOut vulnerabilities.
• Review System Logs and File Structures — Look for signs of unauthorized access, including unfamiliar files in Looker’s .git/hooks/ directories (such as malicious Git hook scripts) and unusual internal database access patterns.
• Harden Access Controls — Restrict access to the Looker management interface and ensure that only trusted administrators and services can execute project deployment or database-related operations.

Broader Security Implications

The LookOut vulnerabilities underscore the inherent challenges of securing powerful analytics platforms. Looker often acts as a “central nervous system” for corporate data — aggregating information from multiple sources, triggering queries, and storing connection credentials. That makes it an attractive target for attackers seeking a broad foothold inside an organization.

While cloud-based offerings benefit from vendor-managed security updates, self-hosted solutions place the onus of protection squarely on internal teams. This incident serves as a reminder that strong patch management, vigilant monitoring, and robust access governance are critical components of a secure analytics environment.