Google Vertex AI Default Configurations Enable Privilege Escalation Attacks
Researchers at XM Cyber uncovered critical security flaws in Google’s Vertex AI, where default configurations allow low-privileged users to escalate privileges by hijacking Service Agent roles. Google acknowledged the vulnerabilities but classified them as "working as intended," leaving organizations exposed to potential attacks.
The vulnerabilities affect two components: Vertex AI Agent Engine and Ray on Vertex AI. Both rely on Service Agents managed identities with broad project permissions creating a risk when accessed by users with minimal privileges. Attackers exploit these through "confused deputy" scenarios, where read-only access can lead to remote code execution (RCE) and credential theft from instance metadata.
Attack Vectors Breakdown
-
Vertex AI Agent Engine
- Target: Reasoning Engine Service Agent
- Vulnerability: Malicious tool injection via
aiplatform.reasoningEngines.updatepermissions. - Impact: Attackers upload malicious code (e.g., a reverse shell) disguised as a legitimate tool, gaining access to LLM memories, chat logs, and Cloud Storage (GCS) buckets even public ones without direct storage permissions.
-
Ray on Vertex AI
- Target: Custom Code Service Agent
- Vulnerability: Insecure default access (
aiplatform.persistentResources.get/list) allows users with Vertex AI Viewer roles to gain root shell access via the GCP Console’s "Head node interactive shell." - Impact: Attackers extract the agent’s token, enabling read-write access to GCS and BigQuery, though IAM actions like
signBlobremain restricted.
Mitigation Recommendations
Google’s default configurations treat these risks as features, requiring enterprises to proactively secure deployments. Recommended steps include:
- Revoking unnecessary Service Agent permissions via custom roles.
- Disabling head node shells and validating tool code before updates.
- Monitoring metadata access through Security Command Center’s Agent Engine Threat Detection, which flags RCE and token theft.
- Auditing persistent resources and reasoning engines regularly.
The findings highlight the need for organizations to treat Vertex AI’s default settings as potential attack surfaces rather than operational conveniences.
Source: https://cybersecuritynews.com/google-vertex-ai-vulnerability/
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
"id": "GOO1768649952",
"linkid": "google-cloud",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Cloud Services',
'location': 'Global',
'name': 'Google Vertex AI',
'type': 'Cloud AI Service'}],
'attack_vector': ['Misconfigured Default Settings', 'Confused Deputy Attack'],
'data_breach': {'data_exfiltration': 'Possible via malicious tool injection '
'or token theft',
'sensitivity_of_data': 'High (potential PII or proprietary '
'data)',
'type_of_data_compromised': ['LLM memories',
'Chat logs',
'Cloud Storage (GCS) buckets',
'BigQuery data']},
'description': 'Researchers at XM Cyber uncovered critical security flaws in '
'Google’s Vertex AI, where default configurations allow '
'low-privileged users to escalate privileges by hijacking '
'Service Agent roles. The vulnerabilities affect Vertex AI '
'Agent Engine and Ray on Vertex AI, enabling attackers to '
"exploit 'confused deputy' scenarios for remote code execution "
'(RCE) and credential theft.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'insecure default configurations',
'data_compromised': ['LLM memories',
'Chat logs',
'Cloud Storage (GCS) buckets',
'BigQuery data'],
'operational_impact': 'Potential remote code execution (RCE) and '
'credential theft',
'systems_affected': ['Vertex AI Agent Engine', 'Ray on Vertex AI']},
'lessons_learned': 'Default configurations in cloud services like Vertex AI '
'can introduce significant security risks if not '
'proactively managed. Organizations must treat default '
'settings as potential attack surfaces and implement '
'custom security controls.',
'post_incident_analysis': {'corrective_actions': ['Implement custom roles '
'with least privilege',
'Disable insecure default '
'features (e.g., head node '
'shells)',
'Enhance monitoring for '
'metadata access and RCE '
'attempts'],
'root_causes': ['Insecure default configurations '
'in Vertex AI Service Agents',
'Overly permissive IAM roles']},
'recommendations': ['Revoke unnecessary Service Agent permissions via custom '
'roles',
'Disable head node shells in Ray on Vertex AI',
'Validate tool code before updates in Vertex AI Agent '
'Engine',
'Monitor metadata access using Security Command Center’s '
'Agent Engine Threat Detection',
'Audit persistent resources and reasoning engines '
'regularly'],
'references': [{'source': 'XM Cyber Research'}],
'response': {'enhanced_monitoring': 'Security Command Center’s Agent Engine '
'Threat Detection',
'remediation_measures': ['Revoking unnecessary Service Agent '
'permissions via custom roles',
'Disabling head node shells',
'Validating tool code before updates',
'Monitoring metadata access via '
'Security Command Center’s Agent Engine '
'Threat Detection',
'Auditing persistent resources and '
'reasoning engines regularly']},
'title': 'Google Vertex AI Default Configurations Enable Privilege Escalation '
'Attacks',
'type': 'Privilege Escalation',
'vulnerability_exploited': ['Vertex AI Agent Engine Service Agent Hijacking',
'Ray on Vertex AI Insecure Default Access']}