RESEARCHERS have disclosed a flaw in the Google Vertex AI SDK that lets attackers achieve remote code execution by hijacking model uploads through a bucket squatting technique, according to The Hacker News.
This allows unauthorised code execution whenever a victim loads a compromised model.
The vulnerability stems from predictable naming of Cloud Storage buckets used by the SDK and a missing ownership check when a model is uploaded, as detailed in a Unit 42 analysis published today.
An attacker who can guess the bucket name can create it ahead of time, causing the SDK to write the model artifact into the attacker-controlled bucket.
During the brief interval after a victim initiates an upload, the attacker can swap the legitimate model file with a malicious payload, which the SDK then executes when the model is loaded.
The flaw affects all Vertex AI SDK for Python releases prior to version 1.148.0, which contains the fix that enforces bucket ownership verification.
Unit 42 researchers observed active attempts to hijack model uploads in the wild, although no specific threat actor has been linked to the activity.
The technique requires no credentials from the victim's project, making it a low-effort way for opportunistic actors to poison machine learning pipelines.
Defenders should immediately upgrade the Vertex AI SDK to version 1.148.0 or later, which closes the bucket squatting vector.
Enforcing uniform IAM policies that prohibit unauthenticated bucket creation and enabling audit logs for Cloud Storage will help detect any unexpected buckets appearing in a project.
Organisations should also adopt model signing and integrity checks so that any tampered artifact is rejected before execution.
Integrating these verification steps into continuous integration pipelines reduces the window for attackers to inject malicious code.