Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that’s based on Apache Airflow.
“This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry,” Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News.
The shortcoming has been codenamed ConfusedComposer by the cybersecurity company, describing it as a variant of ConfusedFunction, a privilege escalation vulnerability impacting GCP’s Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner.
The disclosure comes weeks after Tenable detailed another privilege escalation vulnerability in GCP Cloud Run dubbed ImageRunner that could have allowed a malicious actor to access container images and even inject malicious code — creating cascading effects.
Like ImageRunner, ConfusedComposer is another example of the Jenga concept, which causes security issues to be inherited from one service to the other when cloud service providers build new services atop existing ones.
The exploit hinges on the attacker having permission to edit a Cloud Composer environment (i.e., composer.environments.update), which could be exploited to inject a malicious Python Package Index (PyPI) package that’s capable of escalating privileges through Cloud Build.
The attack is made possible due to the fact that Cloud Composer allows users to install custom PyPI packages in their environments, thereby enabling an adversary to execute arbitrary code within the associated Cloud Build instance by using installation scripts inside their malicious package.
“ConfusedComposer is important because it exposes how behind-the-scenes interactions between cloud services can be exploited through privilege escalation,” Matan explained. “In this case, an attacker only needs permission to update a Cloud Composer environment to gain access to critical GCP services like Cloud Storage and Artifact Registry.”
Successful exploitation of the flaw could permit an attacker to siphon sensitive data, disrupt services, and deploy malicious code within CI/CD pipelines. Furthermore, it could pave the way for the deployment of backdoors that can grant persistent access to compromised cloud environments.
Following responsible disclosure by Tenable, Google has addressed the vulnerability as of April 13, 2025, by eliminating the use of the Cloud Build service account to install PyPI packages.
“The environment’s service account will be used instead,” Google said in an announcement on January 15, 2025. “Existing Cloud Composer 2 environments that previously used the default Cloud Build service account will change to using the environment’s service account instead.”
“Cloud Composer 2 environments created in versions 2.10.2 and later already have this change. Cloud Composer 3 environments already use the environment’s service account, and are not impacted by this change.”
The disclosure comes as Varonis Threat Labs uncovered a vulnerability in Microsoft Azure that could have allowed a threat actor with privileged access to an Azure SQL Server to alter configurations in a manner that causes data loss upon admin action. Microsoft has fully remediated the issue as of April 9, 2025, after it was made aware of it on August 5, 2024.
The Destructive Stored URL Parameter Injection vulnerability, the company said, stems from a lack of character limitation for server firewall rules created using Transact-SQL (T-SQL).
“By manipulating the name of server-level firewall rules through T-SQL, a threat actor with privileged access to an Azure SQL Server can inject an implant that, based on specific user actions, deletes arbitrary Azure resources that the user has permissions for,” security researcher Coby Abrams said.
“The impact of a threat actor exploiting this vulnerability could be large-scale data loss in the affected Azure account.”
It also comes as Datadog Security Labs shed light on a bug in Microsoft Entra ID restricted administrative units that could enable an attacker to prevent selected users from being modified, deleted, or disabled, even by a Global Administrator.
“A privileged attacker could have used this bug to protect an account under their control, preventing containment by any Entra ID administrator,” security researcher Katie Knowles said. This included various tasks such as resetting passwords, revoking user sessions, deleting users, and clearing user multi-factor authentication (MFA) methods.
The issue has since been fixed by the Windows maker as of February 22, 2025, following responsible disclosure on August 19, 2024.
In recent weeks, threat actors have been found training their sights on websites hosted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances by exploiting Server-Side Request Forgery (SSRF) vulnerabilities to extract metadata information.
“EC2 Instance Metadata is a feature provided by AWS that allows an EC2 instance to access information needed at runtime without needing to authenticate or make external API calls,” F5 Labs researcher Merlyn Albery-Speyer said. “It can expose information such as the public or private IP address, instance ID, and IAM role credentials. Much of this is sensitive data of interest to attackers.”
