Google Vertex AI Privilege Escalation Flaws Expose Service Agent Trust Model Risks

Listen to this Post

Featured Image

Introduction: A Hidden Risk Inside Managed AI Platforms

Google’s Vertex AI is widely adopted as a secure, managed environment for building and deploying AI workloads at scale. But recent research reveals that beneath its polished abstractions lies a dangerous trust assumption. Two critical privilege escalation pathways show how low-privileged users can quietly seize high-privilege Service Agent identities. These are not misconfigurations made by customers. They are default behaviors, accepted by Google as “working as intended,” and they fundamentally change how security teams should assess risk inside Vertex AI environments.

Overview: Two Paths to the Same Outcome

Security researchers have identified two privilege escalation techniques affecting Vertex AI Agent Engine and Ray on Vertex AI. Both attacks start with minimal permissions and end with project-wide access by hijacking Google-managed Service Agents. The issue is not a single bug, but a structural problem rooted in how trusted service identities are attached to compute resources.

Understanding Service Agents and Why They Matter

Service Agents are Google-managed service accounts designed to allow Vertex AI services to operate automatically. They are granted broad IAM permissions so the platform can function without constant manual intervention. This convenience creates an implicit trust boundary. Once breached, attackers inherit powerful identities that can access storage, AI workloads, and sensitive datasets across the project.

The Double Agent Problem Explained

Both vulnerabilities follow a similar pattern. A low-privileged user interacts with a Vertex AI compute resource, gains execution or shell access, and extracts credentials from the instance metadata service. The attacker’s own permissions remain limited, but the stolen Service Agent token unlocks far greater authority. The result is privilege escalation without exploiting traditional software bugs.

Target One: Vertex AI Agent Engine

The first vulnerability affects the Vertex AI Agent Engine, a service that allows developers to deploy reasoning agents using frameworks such as Google’s Agent Development Kit. Developers upload Python-based logic and tools, while Google abstracts away the underlying infrastructure.

Abuse of Tool Updates for Remote Code Execution

Researchers discovered that a user with the aiplatform.reasoningEngines.update permission can modify an existing reasoning engine and inject malicious Python code into a seemingly harmless tool definition. For example, a basic currency conversion function can be altered to include a reverse shell.

From Tool Execution to Full Control

Once the compromised tool executes, the attacker gains remote code execution on the reasoning engine’s compute instance. From there, accessing the instance metadata service is trivial. The metadata endpoint exposes an access token belonging to the Reasoning Engine Service Agent.

Why the Reasoning Engine Service Agent Is Dangerous

This Service Agent typically has broad permissions across Vertex AI memories, chat sessions, logging services, and Google Cloud Storage buckets. With this token, an attacker can read stored LLM conversations, extract long-term agent memory, and access potentially sensitive data stored in cloud storage.

Target Two: Ray on Vertex AI

The second vulnerability impacts Ray on Vertex AI, Google’s managed integration of the Ray distributed computing framework. Ray clusters are commonly used for large-scale AI training and inference workloads.

Viewer Permissions That Go Too Far

When a Ray cluster is deployed, Google automatically attaches the Custom Code Service Agent to the head node. Researchers found that users with only aiplatform.persistentResources.list and get permissions—permissions included in the read-only Vertex AI Viewer role—can access a head node interactive shell directly from the GCP Console.

Root Shell Access Through the Console

Despite holding only Viewer permissions, the interface exposes a “Head node interactive shell” option. Clicking it grants the user a root shell on the Ray head node. No exploit is required. No warning is shown. This access is presented as a normal feature.

Metadata Service: The Final Step

From the root shell, attackers can query the instance metadata service and retrieve the Custom Code Service Agent token. Although the token is scoped, it still includes full control over Google Cloud Storage, BigQuery read/write access, Pub/Sub usage, and read-only visibility across many cloud services.

Why This Breaks the Security Model

In practice, this means a user labeled as “Viewer” can read and write storage buckets, inspect datasets, and manipulate data pipelines. The traditional assumption that Viewer roles are safe for auditors or analysts no longer holds true in these default configurations.

Google’s Position: Working as Intended

Google has confirmed that these behaviors are intentional. The platform assumes that access to Vertex AI resources implies trust in users interacting with them. From a security standpoint, this shifts responsibility away from the provider and squarely onto customers.

The Broader Risk for Organizations

Many organizations rely on managed AI platforms precisely to reduce security complexity. These findings show that abstraction can hide risk rather than eliminate it. Service Agents effectively become invisible super-users, and any path to their credentials becomes a critical threat.

Why Metadata Services Remain a Prime Target

Cloud instance metadata services are frequently abused in real-world attacks. Once code execution or shell access is achieved, metadata endpoints provide a direct line to credentials. Vertex AI’s design amplifies this risk by attaching high-privilege agents by default.

Operational Impact Beyond AI Systems

The consequences extend beyond AI workloads. With access to storage and BigQuery, attackers can exfiltrate intellectual property, training datasets, logs, and customer data. This turns an AI feature misstep into a full cloud compromise scenario.

Defensive Measures Cannot Be Optional

Because Google does not treat these behaviors as vulnerabilities, customers must proactively redesign their security posture. Relying on default roles and assumptions is no longer sufficient when managed services blur traditional privilege boundaries.

What Undercode Say:

A Structural Trust Failure, Not a Bug

From Undercode’s perspective, this is not a case of overlooked edge cases. It is a systemic issue rooted in excessive trust placed in managed service identities. Service Agents are treated as internal actors, but attackers can reach them with surprisingly little effort.

Default Configurations Are the Real Attack Surface

The most concerning aspect is that no advanced exploitation is required. The attacks rely on default permissions, default console features, and default Service Agent roles. Security teams often harden workloads but leave managed services untouched, assuming they are safe by design.

Viewer Roles Are No Longer Low Risk

The Ray on Vertex AI scenario is particularly alarming. Viewer roles are commonly assigned to auditors, data scientists, and external partners. Granting them root shell access, even indirectly, fundamentally breaks least-privilege principles.

AI Infrastructure Demands Zero-Trust Thinking

As AI platforms become more autonomous, the identities that power them become more valuable targets. Treating Service Agents as untouchable internal components is no longer viable. They must be monitored, restricted, and audited like any other high-value account.

Metadata Monitoring Should Be Mandatory

Any access to instance metadata services should be treated as a high-risk event. Organizations should integrate metadata access logs into their detection pipelines and respond aggressively to suspicious token retrieval attempts.

Managed Does Not Mean Secure

The key lesson is clear. Managed AI services reduce operational burden, but they do not eliminate security responsibility. In some cases, they introduce new, harder-to-see risks that only emerge when attackers think like platform engineers.

Fact Checker Results

Service Agent Privilege Escalation Exists by Design ✅

Viewer Permissions Can Lead to Root Access in Ray Clusters ✅

Google Has Classified These Behaviors as Non-Bugs ❌

Prediction

Expect Increased Scrutiny of Managed AI Platforms 🔍

Organizations Will Begin Restricting Service Agent Permissions Aggressively 🔒

Future Cloud Attacks Will Target AI Control Planes More Directly ⚠️

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon