A security issue in the Kibana CrowdStrike Connector allows attackers to access stored CrowdStrike credentials.
The flaw affects multiple versions of Kibana and can expose credentials across spaces within the same deployment. Elastic has released updates to resolve this issue and urges users to upgrade immediately.
Vulnerability Details
The flaw, tracked as CVE-2025-37728, arises from insufficient protection of credentials in the CrowdStrike Connector.
When a connector is created in one workspace or space within Kibana, the credentials used to access the CrowdStrike API are cached.
| CVE ID | Affected Versions | Impact | CVSS 3.1 Score |
| CVE-2025-37728 | 7.x: ≤ 7.17.29 8.x: 8.14.0 to 8.18.7 8.19.x: 8.19.0 to 8.19.4 9.0.x: 9.0.0 to 9.0.7 9.1.x: 9.1.0 to 9.1.4 |
Partial credential leak | 5.4 |
A malicious user with access to another space can exploit this caching mechanism to retrieve credentials that belong to a different space.
The issue impacts any Kibana instance using the CrowdStrike Connector and can lead to unauthorized disclosure of credentials.
Affected Versions and Impact
The vulnerability affects all unsupported and supported versions of Kibana that include the CrowdStrike Connector prior to the patched releases.
While no direct data modification or deletion is possible through this flaw, leaked credentials can enable attackers to query CrowdStrike APIs, gather threat data, and potentially manipulate threat hunting workflows.
The risk is classified as Medium with a CVSSv3.1 score of 5.4, indicating that successful exploitation requires limited privileges and some user interaction but can result in partial confidentiality loss.
Any Kibana instance configured with the CrowdStrike Connector and running an impacted version is vulnerable. This includes set-ups in which users manage multiple spaces for organizing dashboards, alerts, and connectors.
Elastic has fixed the flaw in the following patched versions: 8.18.8, 8.19.5, 9.0.8, and 9.1.5. Users running affected versions should upgrade to one of these releases without delay.
No workaround or temporary mitigation is available, so upgrading is the only effective measure.
After upgrading, administrators should review connector configurations to ensure they are functioning correctly and rotate any credentials that may have been exposed.
Check your Kibana version and plan an upgrade to one of the fixed releases. Engage with your security team to verify connector health and consider rotating CrowdStrike API keys.
Finally, monitor Elastic’s security announcements channel for any additional guidance or updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
