Elastic Patches Critical Kibana Vulnerability Allowing Remote Code Execution

Elastic has released security updates to fix a critical vulnerability in Kibana, the data visualization dashboard for Elasticsearch, that could allow arbitrary code execution.

  Privacy & Data Protection   Mar 7, 2025  Add to Reading List
Elastic Patches Critical Kibana Vulnerability Allowing Remote Code Execution

Elastic has released security updates to fix a critical vulnerability in Kibana, the data visualization dashboard for Elasticsearch, that could allow arbitrary code execution.

Vulnerability Details (CVE-2025-25012)

  • Severity: 9.9/10 (CVSS Score)
  • Issue: Prototype Pollution
  • Impact: Attackers can manipulate JavaScript objects via crafted file uploads and HTTP requests, leading to unauthorized data access, privilege escalation, and remote code execution.
  • Affected Versions: Kibana 8.15.0 to 8.17.3
  • Patched Version: 8.17.3

Exploitation Conditions

  • In versions 8.15.0 to 8.17.1, exploitation requires at least a Viewer role.
  • In versions 8.17.1 and 8.17.2, exploitation requires users with the following privileges:
    • fleet-all
    • integrations-all
    • actions:execute-advanced-connectors

Mitigation Steps

Users are urged to update to Kibana 8.17.3 immediately. If immediate patching is not possible, disabling the Integration Assistant feature in Kibana’s configuration (kibana.yml) by setting: 

xpack.integration_assistant.enabled: false

can serve as a temporary workaround.

Recent Kibana Security Issues

This is the latest in a series of severe security flaws in Kibana:

  • August 2024: Another prototype pollution flaw (CVE-2024-37287, CVSS 9.9) was patched.
  • September 2024: Two deserialization vulnerabilities (CVE-2024-37288, CVSS 9.9 & CVE-2024-37285, CVSS 9.1) were also addressed.

With multiple high-impact vulnerabilities surfacing in Kibana, prompt patching is critical to preventing potential cyberattacks.