I achieved a cross-tenant #RCE in #GoogleCloud simply by abusing predictable bucket names. 🪣 In my latest research for @FocalSecurity, I look into "Bucket Squatting" - a cross-tenant attack that landed me 3 critical vulnerabilities in GCP. Here is how it works:

We found 𝗚𝗮𝘁𝗲𝘄𝗮𝘆𝗧𝗼𝗛𝗲𝗮𝘃𝗲𝗻 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟭𝟯𝟮𝟵𝟮)—a critical cross-tenant flaw in Google Cloud's Apigee—but what if a malicious actor found it first? Check out our article explaining how to preemptively mitigate such vulnerabilities: focalsecurity.io/blog/mitiga…

Check out our article showcasing how we found GatewayToHeaven (CVE-2025-13292), a cross-tenant vulnerability in GCP's Apigee: focalsecurity.io/blog/gatewa…