• Menu
  • Skip to main content
  • Skip to primary sidebar

All Tech News

Latest Technology News

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

You are here: Home / Cyber Security News / Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution.

“Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests,” the company said in an advisory released Wednesday.

Prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application’s JavaScript objects and properties, potentially leading to unauthorized data access, privilege escalation, denial-of-service, or remote code execution.

The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It has been addressed in version 8.17.3.

That said, in Kibana versions from 8.15.0 and prior to 8.17.1, the vulnerability is exploitable only by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2, it can only be exploited by users that have all the below-mentioned privileges –

  • fleet-all
  • integrations-all
  • actions:execute-advanced-connectors

Users are advised to take steps to apply the latest fixes to safeguard against potential threats. In the event immediate patching is not an option, users are recommended to set the Integration Assistant feature flag to false (“xpack.integration_assistant.enabled: false”) in Kibana’s configuration (“kibana.yml”).

In August 2024, Elastic addressed another critical prototype pollution flaw in Kibana (CVE-2024-37287, CVSS score: 9.9) that could lead to code execution. A month later, it resolved two severe deserialization bugs (CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS score: 9.1) that could also permit arbitrary code execution.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com

Previous Post: « EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing
Next Post: PHP-CGI RCE Flaw Exploited in Attacks on Japan’s Tech, Telecom, and E-Commerce Sectors »

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor
  • LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents
  • Silver Fox APT Targets Taiwan with Complex Gh0stCringe and HoldingHands RAT Malware
  • Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
  • Are Forgotten AD Service Accounts Leaving You at Risk?

Copyright © 2025 · AllTech.News, All Rights Reserved.