Elastic has issued an urgent security advisory for a critical vulnerability in Kibana, tracked as CVE-2025-25012, that allows authenticated attackers to execute arbitrary code on affected systems.
The flaw, rated 9.9 on the CVSS v3.1 scale, stems from a prototype pollution issue in Kibana’s file upload handler and HTTP request processing. Exploitation could lead to full system compromise, data exfiltration, or service disruption.
The vulnerability resides in how Kibana processes file uploads and HTTP requests. By injecting malicious payloads into these workflows, attackers can manipulate JavaScript object prototypes, a technique known as prototype pollution, to bypass security controls and execute arbitrary code.
This attack vector is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with MITRE ATT&CK tactic T1059 (Command and Scripting Interpreter).
Affected Versions:
- Kibana 8.15.0 to 8.17.0: Exploitable by users with the Viewer role.
- Kibana 8.17.1 and 8.17.2: Requires users possessing fleet-all, integrations-all, and actions:execute-advanced-connectors privileges.
Elastic’s advisory warns that exploitation is “trivial” for attackers with valid credentials, requiring no advanced tooling or reverse engineering.
Successful exploitation enables:
- Remote Code Execution (RCE): Full control over Kibana servers.
- Data Breaches: Unauthorized access to Elasticsearch clusters, API keys, and sensitive logs.
- Lateral Movement: Compromised Kibana instances could serve as entry points into broader infrastructure.
The vulnerability’s severity is amplified by Kibana’s role in centralized logging and analytics. Organizations using Kibana for security monitoring (via Elastic Security) face heightened risks, as attackers could disable alerts or manipulate threat-detection pipelines.
Mitigations
Elastic has released Kibana 8.17.3 to address the flaw. Administrators must prioritize upgrading immediately. For systems requiring temporary mitigation, disable the Integration Assistant by adding the following line to kibana.yml:
This measure restricts attack surfaces but does not eliminate the risk. As of writing, no public proof-of-concept exploits exist.
Elastic Cloud deployments received automated patches, but self-managed clusters require manual intervention.
Organizations fail to patch risk regulatory penalties under GDPR and HIPAA, given Kibana’s frequent processing of sensitive data. This incident underscores the critical need for real-time vulnerability monitoring in data analytics platforms.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free