Privilege Escalation Bug in Google Vertex AI Grants Service Agent Access to Low-Privilege Users
The flaws affect the Vertex AI Agent Engine and Ray on Vertex AI, where default configurations create pathways for attackers to transform “Viewer” permissions into project-wide access.
Google confirmed the services are “working as intended,” meaning these risks remain active in default deployments today.
Service Agents are special service accounts managed by Google Cloud that allow Vertex AI services to access resources and perform internal operations.
These managed identities automatically receive broad, project-wide permissions. The discovered attack vectors exploit this trust model by allowing low-privileged users to extract Service Agent credentials and pivot into higher-privilege contexts.
Both vulnerabilities follow a similar pattern: an attacker with minimal permissions interacts with Vertex AI compute instances, achieves code execution or direct access, and then extracts the attached Service Agent’s credentials from the instance metadata service.
While the initial user possesses limited rights, the hijacked Service Agent often holds extensive project permissions for storage, AI services, and data access.
| Feature | Vertex AI Agent Engine | Ray on Vertex AI |
|---|---|---|
| Primary Target | Reasoning Engine Service Agent | Custom Code Service Agent |
| Vulnerability Type | Malicious Tool Call (RCE) | Insecure Default Access (Viewer to Root) |
| Initial Permission Required | aiplatform.reasoningEngines.update | aiplatform.persistentResources.get/list |
| Attack Vector | Inject Python reverse shell in tool code | Access head node shell via GCP Console |
| Impact | Access to LLM memories, chat sessions, GCS buckets | Root access to Ray cluster; Read/Write BigQuery & GCS |
The first attack targets the Vertex AI Agent Engine, which allows developers to deploy AI agents on GCP infrastructure.
Using frameworks like Google’s Agent Development Kit (ADK), developers upload Python code to reasoning engines, which abstract compute instances that process agent logic and tool calls.
Researchers discovered that an attacker with aiplatform.reasoningEngines. An update permission can inject malicious code into tool definitions by updating an existing reasoning engine with a Python reverse shell embedded in a standard function, such as a currency conversion function.
When the malicious tool executes, the attacker gains remote code execution on the reasoning engine instance.
From there, they access the instance metadata service to retrieve the access token for the “Reasoning Engine Service Agent” (service-<project_id>@gcp-sa-aiplatform-re.iam.gserviceaccount.com).
This Service Agent holds permissions for Vertex AI memories and sessions, storage buckets, and logging services. Attackers can read all chat sessions, LLM memories, and potentially sensitive data stored in Google Cloud Storage buckets.
The second vulnerability affects Ray on Vertex AI. This feature integrates Ray library functionality with GCP infrastructure for scalable AI workloads.
When a Ray cluster deploys, Google automatically attaches the “Custom Code Service Agent” to the cluster’s head node.
Researchers from XM Cyber discovered that users with only aiplatform.persistentResources.list and aiplatform.persistentResources.Get permissions: Standard permissions included in the read-only “Vertex AI Viewer” role allow connecting to the head node via the GCP Console and obtaining root shell access.
Despite holding only Viewer permissions, the GCP interface exposes a “Head node interactive shell” link that grants an interactive shell with root privileges.
From this elevated position, attackers query the metadata service to extract the Custom Code Service Agent’s access token.
While this token has a limited IAM operation scope, it retains complete control over storage (devstorage.full_control), BigQuery, Pub/Sub, and read-only access across the cloud platform.
This allows a “Viewer” to read and write to storage buckets, logs, BigQuery datasets, and other sensitive resources.
Since Google considers these configurations intentional, platform engineers and security teams must take immediate action.
Remove unnecessary Service Agent permissions by creating custom roles with minimal required privileges.
Disable head node shell access for Ray clusters and validate all tool code before updating reasoning engines.
Monitor metadata service accesses using Google Security Command Center’s Agent Engine Threat Detection, which can flag suspicious attempts at remote code execution and token extraction.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Privilege Escalation Bug in Google Vertex AI Grants Service Agent Access to Low-Privilege Users appeared first on Cyber Security News.
On Friday afternoon, Donald Trump posted on Truth Social, accusing Anthropic, the AI company behind…
For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain,…
A Go-based command-and-control (C2) framework originally marketed within Chinese-speaking offensive security communities has been quietly…
A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across…
New filings announced last week aim to stop the Trump administration from further restricting federal…
Bluepoint, the studio behind the successful Shadow of the Colossus and Demon's Souls remakes, reportedly…
This website uses cookies.