Vertex-Ai — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/vertex-ai/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 01 Apr 2026 07:43:16 +0000Weaponization of Google Vertex AI Agentshttps://feed.craftedsignal.io/briefs/2026-04-vertex-ai-compromise/Wed, 01 Apr 2026 07:43:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-vertex-ai-compromise/Researchers demonstrated that AI agents built on Google's Vertex AI can be compromised to exfiltrate data, create backdoors, and compromise infrastructure by abusing excessive permissions of the Per-Project, Per-Product Service Agent (P4SA).Palo Alto Networks researchers have detailed their analysis of Google Cloud Platform’s Vertex AI, specifically focusing on the Vertex Agent Engine and the Agent Development Kit (ADK). The research demonstrates how AI agents built on this platform can be weaponized. The core issue revolves around the Per-Project, Per-Product Service Agent (P4SA), which is associated with user-deployed AI agents. The researchers found that the default permissions of P4SA are excessive, allowing attackers to gain unauthorized access to the Google project hosting Vertex AI. This exploitation enables malicious activities such as data exfiltration, backdoor creation, and broader infrastructure compromise. Google has since revised its documentation and recommends using Bring Your Own Service Account (BYOSA) to enforce least-privilege execution, mitigating the identified risks.

Attack Chain

  1. An attacker gains initial access to an AI agent built on Vertex AI.
  2. The attacker exploits the excessive default permissions associated with the Per-Project, Per-Product Service Agent (P4SA).
  3. The attacker obtains the GCP service agent’s credentials by abusing the P4SA permissions.
  4. Using the compromised credentials, the attacker moves from the AI agent’s execution context into the owner’s Google Cloud project.
  5. The attacker gains unrestricted access to the Google project hosting Vertex AI.
  6. The attacker downloads container images from private repositories that form the core of the Vertex AI Reasoning Engine.
  7. The attacker accesses restricted Artifact Registry repositories containing other images.
  8. The attacker identifies and manipulates a file within the agent’s environment to achieve remote code execution and establish a persistent backdoor.

Impact

The successful exploitation of Vertex AI agents allows attackers to exfiltrate sensitive data, establish persistent backdoors, and potentially compromise the entire Google Cloud project. This can lead to exposure of Google’s intellectual property through access to the Vertex AI Reasoning Engine’s container images. Furthermore, attackers can gain access to restricted Artifact Registry repositories and Google Cloud Storage buckets containing potentially sensitive information. The impact includes data breaches, intellectual property theft, and potential disruption of critical services running on the compromised infrastructure.

Recommendation

  • Implement Bring Your Own Service Account (BYOSA) for Agent Engine to enforce the principle of least privilege, as recommended by Google.
  • Monitor service account activity within Google Cloud Platform for anomalous behavior indicative of credential compromise and lateral movement.
  • Deploy the Sigma rule to detect attempts to download container images from private repositories after potential P4SA compromise.
]]>criticaladvisorycloudaivertex-aiprivilege-escalation