Elastic has released a security advisory detailing a medium-severity vulnerability in the Kibana CrowdStrike Connector that could allow for the exposure of sensitive credentials.
The flaw, tracked as CVE-2025-37728, affects multiple versions of Kibana and could allow a malicious user to access cached CrowdStrike credentials from other users within the same environment.
The vulnerability underscores the security risks associated with interconnected platforms and the importance of timely updates.
Vulnerability Details and Impact
The security flaw, identified as “Insufficiently Protected Credentials in the Crowdstrike connector,” has a CVSSv3.1 score of 5.4, rating it as a medium-severity issue.
According to Elastic’s security advisory, a malicious user with access to one space in a Kibana instance can create and run a new CrowdStrike connector.
This action allows them to access cached credentials from an existing CrowdStrike connector operating in a different space.
The vulnerability essentially permits unauthorized cross-workspace access to sensitive API credentials used for communication between Kibana and the CrowdStrike Management Console.
Successful exploitation could lead to the leakage of credentials, potentially allowing an attacker to interact with the CrowdStrike platform with the privileges of the compromised account.
The vulnerability impacts a wide range of Kibana versions across multiple release lines. This includes all versions of 7.x up to 7.17.29, versions 8.14.0 through 8.18.7, versions 8.19.0 through 8.19.4, versions 9.0.0 through 9.0.7, and versions 9.1.0 through 9.1.4.
Any Kibana instance that utilizes the CrowdStrike connector within these version ranges is considered vulnerable. Elastic has addressed the issue in versions 8.18.8, 8.19.5, 9.0.8, and 9.1.5. The company strongly advises users to upgrade to one of these patched releases to resolve the security gap.
Notably, Elastic has stated that there are no workarounds available for users who cannot immediately upgrade, making patching the only viable solution.
The Kibana CrowdStrike connector is designed to facilitate the seamless integration of data between the CrowdStrike Falcon platform and Elastic, enabling automated incident correlation and telemetry onboarding.
The credentials leaked by this vulnerability are used to authenticate with the CrowdStrike REST API, making their protection critical for maintaining security posture across both platforms.
The advisory (ESA-2025-19) was part of a larger security update from Elastic that addressed several other vulnerabilities in Kibana and Elasticsearch.
Given that no alternative mitigation exists, administrators of affected Kibana deployments are urged to prioritize the update to prevent potential credential theft and subsequent misuse.
Elastic emphasizes the importance of timely updates and configuration reviews to reduce exposure to such threats.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
