GOOGLE Cloud Platform’s Vertex AI has been shown to contain security issues after researchers weaponised AI agents, with Palo Alto Networks disclosing that the Vertex Agent Engine and the Agent Development Kit can be hijacked to become double agents capable of exfiltrating data, creating backdoors, and compromising infrastructure.
The main flaw centres on the Per-Project, Per-Product Service Agent (P4SA), a service account tied to user-deployed AI agents that Palo Alto Networks says has excessive default permissions. These permissions could be abused to obtain a GCP service agent’s credentials and move from the AI agent’s execution context into the owner’s project and its data storage.
“This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into an insider threat,” the researchers explained, according to Palo Alto Networks. They demonstrated that a compromised P4SA could grant attackers unrestricted access to the Vertex AI-hosting project, enabling downloads of container images from private repositories and access to restricted Artifact Registry repositories and Google Cloud Storage buckets containing potentially sensitive information.
The researchers also found a file that could be manipulated for remote code execution within the agent’s environment, potentially allowing a powerful backdoor. Google has addressed the issue by revising its documentation and by recommending Bring Your Own Service Account to secure Agent Engine and enforce least-privilege execution, noting strong, non-overridable controls to prevent service agents from altering production images.