CanSSOC advisory: Vulnerability – Critical Kibana vulnerability exposes systems to code execution

Published: March 6, 2025

TLP: CLEAR
CanSSOC Threat Assessment [*]: HIGH

Topics on this page:

  1. Summary
  2. Exploit details
  3. Recommendations
  4. References
  5. Support

Summary:

A newly discovered critical vulnerability in Kibana, identified as CVE-2025-25012, exposes organizations to the risk of arbitrary code execution through prototype pollution.

This flaw, with a CVSS score of 9.9, enables attackers to manipulate object properties, potentially leading to full system compromise. The vulnerability is especially concerning due to Kibana’s widespread use across industries for data visualization and monitoring [1].

Exploit details:

Attackers can exploit CVE-2025-25012 by uploading specially crafted files and sending malicious HTTP requests. This allows unauthorized access, command execution, data manipulation, and even full system control. Notably, the exploit is effective against:

  • Versions 8.15.0 to 8.17.3: all users, even those with the Viewer Role, can be exploited
  • Versions 8.17.1 and 8.17.2: risk is limited to users with elevated privileges such as:
    • fleet-all
    • integrations-all
    • actions:execute-advanced-connectors [3].

The accessibility of this vulnerability across different privilege levels broadens the attack surface, increasing the likelihood of mass exploitation.

We are asking institutions that have the resources to investigate activity related to the shared vulnerability to do so and report the information back to CanSSOC via your institutional Slack channel or via security@canssoc.canarie.ca.

Recommendations:

  • Upgrade to Kibana 8.17.3, which contains the necessary patch.
  • Disable Integration Assistant by adding the following configuration setting.
    • xpack.integration_assistant.enabled: false

References:

  1. Critical Kibana vulnerability exposes systems to code execution CVE-2025-25012 | SOCRadar
  2. Common vulnerability scoring system calculator CVE-2025-25015 | National Institute of Standards and Technology
  3. Kibana 8.17.3 security update (ESA-2025-06) | Elastic
  4. Elastic releases urgent fix for critical Kibana vulnerability enabling remote code execution

Support:

As always, please contact security.response@utoronto.ca if you have any questions or concerns or feel that a device has been compromised by this vulnerability.

Footnotes:

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.

Related articles

CANSSOC advisory

CanSSOC advisory: Active exploitation – VMware zero-day vulnerabilities

March 6, 2025
Advisory

Critical WordPress plugin vulnerability

November 20, 2024
CANSSOC advisory

CanSSOC advisory: Vulnerability – FortiManager vulnerability under active exploitation

October 28, 2024