Google Vertex AI had a flaw that let attackers hijack any model upload and execute code in your cloud

Unit 42 just disclosed a vulnerability in Google Cloud's Vertex AI SDK for Python that should terrify every CISO running ML pipelines on GCP.

The attack required zero access to your project.

No social engineering. No compromised credentials. No misconfiguration on your end.

Here is how it worked:

The SDK derived a predictable default bucket name from your project ID and region. It checked whether that bucket existed — but never checked who owned it.

An attacker who knew your project ID (typically public) created that bucket in their own account. When your developers uploaded a model without specifying a staging bucket, the SDK silently sent it to the attacker's bucket.

The attacker had 2.5 seconds to swap your legitimate model for a malicious one.

Their Cloud Function fired in 800 milliseconds. The swap was complete before Google's service agent even read the file.

The payload exploited Python's pickle deserialization — a well-known property that executes arbitrary code when a model is loaded. Once your model deployed, the attacker's code ran inside Google's managed infrastructure.

What did they get?

A service account token with cloud-platform scope. The broadest possible access in Google Cloud.

With that token, Unit 42 read other deployments' model artifacts, enumerated every BigQuery dataset and table schema, and mapped internal GKE infrastructure — all from a single poisoned model upload.

Google patched this in April. The fix randomizes bucket names and adds ownership verification.

But here is the problem: the disclosure landed June 16. That means enterprises running older SDK versions had a two-month window where this was silently exploitable.

Audit your google-cloud-aiplatform version today. If you are on 1.139.0 or 1.140.0, you were vulnerable. Upgrade to 1.148.0 or later immediately.

And stop trusting SDK defaults for anything that touches your model pipeline. Always set an explicit staging_bucket parameter. The convenience of defaults just became your biggest attack surface.