Researchers at Palo Alto Networks' Unit 42 have disclosed a flaw in Google's Vertex AI that let an attacker, working entirely from their own Google Cloud account, quietly hijack another organization's machine learning model upload, swap in a booby-trapped version, and run their own code deep inside the victim's AI infrastructure, all with no prior access to the target. Google has since fixed it.
The weakness sat in the Vertex AI software development kit (SDK) for Python, a library many enterprises use to build and deploy AI models. When a developer uploads a model without naming a storage location, the SDK builds a default "staging bucket" name from the project ID and region, a predictable pattern like my-project-vertex-staging-us-central1.
How the attack works
Cloud storage bucket names are globally unique, so no two can exist across all of Google Cloud. Unit 42 abused that with a technique called bucket squatting: an attacker who knows the victim's project ID, which is often publicly discoverable, pre-creates that exact bucket in their own account. The SDK only checked whether the bucket already existed, not who owned it, so the victim's model files uploaded straight into the attacker's bucket without any warning.
From there it became a race. The attacker wired a serverless function to fire the instant a model landed, giving them roughly a 2.5 second window to replace the legitimate file before Google's service read it. The swapped-in model abused pickle, a common Python format for saving models that runs whatever code it contains the moment it is loaded. When the victim deployed their model, the malicious code executed inside Google's serving infrastructure and lifted an access token belonging to a service account in Google's managed tenant project. That token carried the broadest possible cloud permissions, opening the door to stealing model artifacts from other deployments in the same tenant project, enumerating BigQuery datasets, and mapping Google's internal tenant infrastructure.
What is affected and what to do
The flaw affected the google-cloud-aiplatform SDK versions 1.139.0 and 1.140.0. After Unit 42 reported it through Google's Vulnerability Reward Program in March, Google shipped two fixes: version 1.144.0 added a random value to the bucket name, and version 1.148.0 added a proper ownership check. Teams using Vertex AI should upgrade to 1.148.0 or later, explicitly set a private staging bucket when uploading models, and treat pickle and joblib model files as executable code rather than inert data.
The research was published by Unit 42's Ori Hadad. It is the latest reminder that cloud AI platforms inherit old infrastructure weaknesses, echoing recent findings on exposed AI tool servers leaking cloud keys and remote code execution in popular AI agent frameworks.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.