Cybersecurity Vulnerabilities

Critical Looker Vulnerability: CVE-2025-12741 Allows Command Execution via Malicious LookML

November 24, 2025 - By 

Overview

A significant security vulnerability, identified as CVE-2025-12741, has been discovered in Looker. This vulnerability could allow a Looker user with the Developer role to create a database connection using the Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Both Looker-hosted and self-hosted instances were vulnerable.

Good news for Looker-hosted users: this issue has already been mitigated on those instances. No further action is required.

However, users with self-hosted Looker instances are strongly advised to upgrade to a patched version as soon as possible.

Technical Details

CVE-2025-12741 leverages the combination of the Denodo driver and LookML manipulation. An attacker with Developer privileges within Looker can exploit the Denodo driver configuration to inject malicious commands. The core issue lies in how Looker processes LookML when creating database connections, specifically when utilizing the Denodo driver. By crafting malicious LookML code, an attacker can potentially bypass security measures and execute arbitrary commands on the underlying system.

CVSS Analysis

Currently, a CVSS score and severity are not available (N/A) for CVE-2025-12741. However, the potential for command execution warrants immediate attention and patching. Despite the missing CVSS score, the ability to execute arbitrary commands makes this a critical vulnerability.

Possible Impact

The exploitation of CVE-2025-12741 could have severe consequences, including:

  • Data Breach: Unauthorized access to sensitive data stored within the Looker environment and connected databases.
  • System Compromise: Execution of malicious commands can lead to full system compromise, allowing attackers to install malware, create backdoors, or disrupt services.
  • Reputational Damage: A successful attack can severely damage the reputation of an organization using Looker.

Mitigation and Patch Steps

The primary mitigation strategy is to upgrade self-hosted Looker instances to one of the following patched versions. Looker-hosted instances are already protected.

The following versions have been updated to protect against this vulnerability:

  • 24.12.108+
  • 24.18.200+
  • 25.0.78+
  • 25.6.65+
  • 25.8.47+
  • 25.12.10+
  • 25.14+

You can download these versions from the Looker download page: https://download.looker.com/

Important: Apply the upgrade as soon as possible to minimize the risk of exploitation.

References

Published: 2025-11-24T12:15:45.957

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *