Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents

Summary

Palo Alto Networks researchers demonstrated how AI agents built on Google Cloud's Vertex AI platform could be compromised and weaponized as 'double agents' to exfiltrate data, create backdoors, and compromise infrastructure. The core vulnerability stems from excessive default permissions in the Per-Project, Per-Product Service Agent (P4SA), which could be abused to gain unrestricted access to GCP projects, container repositories, and sensitive storage. Google has addressed the issues through documentation updates and recommends using Bring Your Own Service Account (BYOSA) to enforce least-privilege execution.

Full text

Palo Alto Networks has shared details about how its researchers weaponized AI agents built on Google Cloud’s Vertex AI development platform. The research focused on the Vertex Agent Engine and the Agent Development Kit (ADK), which enable developers to create, deploy, manage, and scale AI agents. The Palo Alto Networks researchers found that these agents could be compromised by attackers and turned into ‘double agents’, enabling various types of malicious activities, including exfiltrating data, creating backdoors, and compromising infrastructure. One of the main issues uncovered by the researchers concerns the Per-Project, Per-Product Service Agent (P4SA), which is associated with the user-deployed AI agent. A service agent is a service account that enables Google Cloud Platform (GCP) services to access resources. The problem, according to Palo Alto, is that P4SA has excessive permissions by default. The company’s researchers showed that these permissions could be abused to obtain a GCP service agent’s credentials and leverage them to move from the AI agent’s execution context into the owner’s project and the associated data storage. “This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into an insider threat,” the researchers explained. Advertisement. Scroll to continue reading. In addition, they showed how an attacker could abuse the compromised P4SA credentials to gain unrestricted access to the Google project that hosts Vertex AI. An attacker could use this access to download container images from private repositories. “These images form the core of the Vertex AI Reasoning Engine. Gaining access to this proprietary code not only exposes Google’s intellectual property, but also provides an attacker with a blueprint to find further vulnerabilities,” the researchers noted. They also found that the compromised credentials could be used to access restricted Artifact Registry repositories containing other images that could be useful to attackers, as well as Google Cloud Storage buckets containing potentially sensitive information. The researchers also came across a file that an attacker may be able to manipulate for remote code execution within the agent’s environment. A threat actor could use this to create a powerful and persistent backdoor. Palo Alto has shared its findings with Google, and the tech giant has addressed the issue by revising its documentation to point out potential risks. Google also recommends using Bring Your Own Service Account (BYOSA) to secure Agent Engine and ensure least-privilege execution. BYOSA enables Agent Engine users to enforce the principle of least privilege, granting the agent only the permissions it requires to function. Additionally, Google noted that strong, non-overridable controls are in place to prevent service agents from altering production images. Related: Palo Alto Networks, Google Cloud Strike Multibillion-Dollar AI and Cloud Security Deal Related: AI Supply Chain Attack Method Demonstrated Against Google, Microsoft Products Related: AI Systems Vulnerable to Prompt Injection via Image Scaling Attack Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Healthcare IT Platform CareCloud Probing Potential Data BreachEuropean Commission Reports Cyber Intrusion and Data TheftFBI Confirms Kash Patel Email Hack as US Offers $10M Reward for HackersCISA Flags Critical PTC Vulnerability That Had German Police MobilizedAlleged RedLine Malware Administrator Extradited to USDell and HP Roll Out Quantum-Resistant Device SecurityRussian Cybercriminal Gets 2-Year Prison Sentence in US US Prisons Russian Access Broker for Aiding Ransomware Attacks Latest News Censys Raises $70 Million for Internet Intelligence PlatformThe Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t TrustStolen Logins Are Fueling Everything From Ransomware to Nation-State CyberattacksVenom Stealer Raises Stakes With Continuous Credential HarvestingTeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingGoogle Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionExploitation of Critical Fortinet FortiClient EMS Flaw Begins Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Double Agent (AI compromise technique)