Critical Kibana Vulnerability Enabling Remote Code Execution
Critical Kibana Vulnerability Enabling Remote Code Execution
Summary
A critical vulnerability, identified as CVE-2025-25015, has been disclosed in Kibana, which enables unauthenticated remote attackers to execute arbitrary code on affected systems. Discovered on March 6, 2025, this flaw affects Kibana versions 8.15.0 through 8.17.3 and poses a significant security risk for organizations that have not yet applied the necessary updates. The vulnerability allows attackers to exploit the system by manipulating certain user inputs, including specially crafted HTTP requests and file uploads. By leveraging this flaw, attackers can gain remote code execution on the affected system, potentially leading to unauthorized access, execution of commands, data manipulation, or full system compromise.
The vulnerability has been assigned a CVSS score of 9.9 (out of 10), reflecting its critical severity.
Update:
We would like to provide an important update regarding the CVE ID referenced in the original advisory.
In the initial advisory, the vulnerability was incorrectly identified as CVE-2025-25012. However, after further clarification from Elastic (the developers of Kibana), the correct CVE ID for this issue is CVE-2025-25015.
This update does not change the nature of the vulnerability or its impact.
We apologize for any confusion caused by the initial misreference and encourage all users to follow the recommended mitigation steps and apply the necessary patches to address this critical vulnerability.
Affected Systems and/or Applications:
Kibana versions impacted: Versions 8.15.0 through 8.17.3.
Technical Details / Attack Overview:
The vulnerability, tracked as CVE-2025-25012, is a prototype pollution vulnerability in Kibana that leads to arbitrary code execution. Prototype pollution occurs when an attacker manipulates an application’s JavaScript objects and properties, which can lead to a variety of malicious outcomes, such as unauthorized data access, privilege escalation, denial-ofservice, or, in this case, remote code execution.
This flaw arises from improper input validation and sanitization, which allows attackers to manipulate the JavaScript prototype chain. By doing so, the attacker can execute arbitrary code on the server, ultimately compromising the affected system. Specifically, attackers can exploit Kibana by uploading a specially crafted file and sending malicious HTTP requests, achieving code execution. This means an adversary could gain unauthorized access, execute commands, manipulate data, or even take full control of the compromised system.
The critical nature of this vulnerability is reflected in its CVSS score of 9.9 (out of 10), indicating its severity.
Exploitation Conditions:
- In Kibana versions 8.15.0 through 8.17.0, the vulnerability is exploitable only by users with the Viewer role.
- In Kibana versions 8.17.1 and 8.17.2, the vulnerability can be exploited only by users with the following elevatedprivileges:
- fleet-all
- integrations-all
- actions:execute-advanced-connectors
In these versions, only users who have all three of the specified privileges can successfully leverage the flaw to gain unauthorized access or execute arbitrary code.
Once the vulnerability is successfully exploited, the attacker can potentially gain full control of the affected system, execute arbitrary commands, or access sensitive data—depending on the privileges granted by the exploit.
Mitigation
- Update Kibana: To address the vulnerability, update Kibana to version 8.17.3
- If Upgrade is Not Possible: If upgrading to version 8.17.3 is not immediately feasible, ensure that the following line is added to Kibana’s configuration to mitigate the risk:
Set xpack.integration_assistant.enabled: false
This configuration change will disable the Integration Assistant feature, reducing the attack surface until an upgrade can be applied.
What the Cyber Fusion Center is Doing
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
- Tenable IDs:
- CVE-2025-25012
.webp)
