Exploits

Critical Blind Spot Found in Google Vertex AI Agents

Published  ·  3 min read

Palo Alto Networks Unit 42 discovered a major vulnerability in Google Cloud's Vertex AI that could concern legitimacy of artificial intelligence (AI) agents by providing for a way to convert legitimate artificial intelligence agents into illegal "double agents" through having an attacker compromise the security of AI agents by exploiting the existing permissions within the Per-Project, Per-Product Service Agent (P4SA) model as applied by Vertex AI's Agent Development Kit (ADK) and where each deployed AI agent has the same P4SA (service agent) for the Customer's project and rent the Customer's Project as a whole. 

There is a large degree for any deployed AI agent because the P4SA's permissions are defined too broadly for the permissions assigned to each and would permit any agent to be compromised and/or maliciously configured and be able to utilize the compromised or poorly configured agent to seek out and access the sensitive information and infrastructure that is located within the customer’s Google Cloud environment.

According to Unit 42 researcher Ofir Shaty, once an AI agent is deployed, any interaction with it can trigger a call to Google’s metadata service. Research teams were able to escape the isolated execution context of the AI agents through the use of these stolen credentials thus gaining broad read access to Google Cloud Storage Buckets within the customer project . In some instances, these credentials also provided access to Google’s internal tenant projects and restricted Artifact Registry repositories that contained the container images used by the Vertex AI Reasoning Engine.

While the extracted credentials did not provide full write access to every exposed resource, the extent of unintended visibility available is alarming. An attacker would have the potential ability to map out internal infrastructure, find proprietary code and use it as a guide for future attacks. 

“This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into a potential insider threat,” Unit 42 warned.

To provide more clarity regarding how Vertex AI manages resources, accounts, and agents, Google has revised its official documentation accordingly. The updated documentation now includes clear instructions for end-users about moving away from using the default service agent but rather deploying their own service account (known as BYO Service Account). By adhering to the principle of least-privilege (PoLP), organizations can limit how much access an agent has to the resources needed to perform their function. 

The Following highlights and recommendations: 
1. All default agents in Vertex AI are over-permissioned, which violates one of the core principles of security in computing.
2. AI is treated equally as production code, as equally as strict in terms of security.
3. Use Bring Your Own Service Account (BYOSA) for any deployment of agents.
4. Maintain strict limits on OAuth scopes and review agent permissions frequently.
5. Perform thorough security testing prior to deploying AI agents into the production environment.

As AI agents become increasingly embedded within enterprise workflows, the security for these products needs to be adequately maintained. If an agent has misconfigured settings with abundant permission levels, it can quickly become a prime candidate for attackers to utilize to gain access throughout an entire cloud environment.

If your organization has built or deployed an agent via Google Vertex AI, now is a great time to evaluate your existing architectures and migrate toward least-privilege service accounts. It is likely that your organization will incur heavy costs due to misassumptions of the safety of using default configurations as the landscape for AI security is constantly changing.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067