Cybersecurity researchers have revealed details of the vulnerability of the escalation of privileges in the Google Cloud Cloud Platform (GCP), which could allow malicious actors to access container images and even introduce a malicious code.
‘Vulnerability can allow such an identity to abuse his audit audit – Note In a report that shared with Hacker News.
Cybersecurity campaign was called a lack of security. After the responsible disclosure of Google, he addressed the problem since January 28, 2025.
Google Cloud Run is a fully managed service to perform container applications in a scalable, without server. If the technology is used to launch the service, the container images are obtained from Register of Artifacts (or Docker Hub) for the next deployment by specifying the URL image.
It is about the fact that there are certain identities that do not have a container register but having a Google Cloud Run editorial permit.
Each time Cloud Run service unfolds or updated, a new version is created. And every time a cloud launch is unfolding, A Agent’s account account used to pull out the necessary images.
“If the attacker receives certain permits within the victim project – in particular, run.services.update and iam.serviceaccouns.Actas – they can change the Cloud Run service and deploy a new edition,” Matan explained. “By doing this, they could show any private drawing of a container within the same project to draw the service.”
Moreover, the attacker can access sensitive or own images stored in the victim’s registers, and even make malicious instructions that can be abused when performing to extract secrets, allocate sensitive data, or even open the return shell under their control.
The patch released by Google guarantees that a user or account, creating or updating Cloud Run, has a clear permit to access the drawings of the container.
“Main (user account or service) Create or update Cloud Run’s resource now needs obvious resolution – Note In its cloud run notes in January 2025.
“When using the Artifact Register, make sure that the director has a registry reader (roles/artifactregistry) role IAM in the project or repository containing a container for deployment.”
Tenable described Imagerunner as an instance of what it calls Jenga, which arises from the interconnected nature of different cloud services, which causes safety risks.
“Cloud providers build their services, among other existing services,” Matan said. “When one service is attacked or violated, others are built in addition to the risk and become vulnerable.”
“This scenario opens the door to the attackers to identify new opportunities for escalation of privileges and even vulnerability, and also provides new hidden risks for defenders.”
The disclosure of information occurs a few weeks after Pretorian told in detail about several ways that the Director of the Lower Privilege can abuse the Azure Virtual Machine to get control over Azure –
- Complete the teams on Azure VM related to the administrative person guided
- Sign in to Azure VM associated with the administrative identity managed
- Attach the existing administrative -assigned user -guided identity to the existing Azure VM and execute commands in this VM
- Create a new Azure VM, attach to its existing administrative identity and follow the commands in this VM using the data plane actions
“After receiving the role of the owner for subscription, the attacker may be able to use his extensive control over all subscription resources to find a privilege escalation to the ID Entra tenant,” security researchers Andrew Chang and Elgin – Note.
“This path is based on the computing resource in the subscription to the victim with the Director of the Service with the Entra ID, which can allow him to transform himself to the global administrator.”
