Introduction
A privilege escalation vulnerability has been identified in the Google Cloud Platform (GCP) [1] [2] [4], specifically within Cloud Functions and its associated Cloud Build service. This vulnerability, discovered by Tenable Research [2] [4], highlights the risks associated with overly permissive configurations in cloud environments and underscores the importance of continuous security monitoring.
Description
A privilege escalation vulnerability has been identified in the Google Cloud Platform (GCP) [1] [2] [4], specifically within Cloud Functions and its associated Cloud Build service. Discovered by Tenable Research [2] [4], this flaw allowed attackers to exploit the deployment processes of GCP Cloud Functions through the default Cloud Build service account, which previously granted excessive permissions [3]. An attacker with the ability to create or update a Cloud Function could leverage this process to gain elevated privileges [3]. This vulnerability has been assigned CVE-2025-4692 [1], with a CVSS v3 base score of 6.8 and a CVSS v4 base score of 5.9 [1].
In response to the vulnerability [3], Google has released a patch that modifies the default behavior of Cloud Build and restricts the permissions of the default service account [3]. The vendor has also removed the vulnerable method that allowed exploitation through a maliciously crafted JavaScript Object Notation (JSON) Web Token (JWT). Users do not need to take any action regarding this patch; however, it is advised that legitimate users consider modifying their authentication information due to a period of exposure that ended on April 19, 2025 [1]. Additionally, new organization policies have been introduced to allow organizations to control which service account Cloud Build uses by default [3].
To mitigate similar threats [2] [3], organizations are advised to enforce the principle of least privilege for all service accounts [2] [3], eliminate any legacy service accounts [3], and conduct regular audits and monitoring of permissions [2]. It is also crucial to keep cloud services and dependencies updated with the latest security patches. Furthermore, users with access to Cloud Functions should not possess IAM permissions for the services involved in the function’s orchestration [3]. Setting alerts for unexpected changes to Cloud Functions [2], inspecting outgoing traffic for signs of data exfiltration [2], and validating the integrity of third-party NPM packages are also recommended practices. To further enhance security, organizations should minimize network exposure for control system devices [1], isolate them behind firewalls [1], and utilize secure remote access methods such as Virtual Private Networks (VPNs) [1]. This situation underscores the ongoing risks associated with overly permissive configurations and the necessity for continuous security monitoring in cloud environments [2]. CISA provides resources and guidance for cybersecurity best practices [1], including strategies for defending Industrial Control Systems (ICS) assets [1]. No public exploitation of this vulnerability has been reported to date [1].
Conclusion
The discovery of this vulnerability in GCP’s Cloud Functions and Cloud Build service highlights the critical need for stringent security measures in cloud environments. Organizations must prioritize the principle of least privilege, regularly update security patches, and conduct thorough audits to prevent similar vulnerabilities. The proactive steps taken by Google, including patch releases and policy updates, serve as a reminder of the dynamic nature of cybersecurity threats and the importance of vigilance. As cloud services continue to evolve, maintaining robust security practices will be essential to safeguarding sensitive data and infrastructure.
References
[1] https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01
[2] https://trustcrypt.com/vulnerability-in-google-cloud-functions-raises-significant-security-concerns/
[3] https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serverless-attack-vector/
[4] https://www.infosecurity-magazine.com/news/flaw-google-cloud-security-concerns/
