Executive Summary:

Elastic has released a critical security update addressing a severe vulnerability in Kibana, a data visualization dashboard for Elasticsearch. The flaw, identified as CVE-2025-25015, carries a CVSS score of 9.9, indicating its critical nature. This vulnerability is a result of prototype pollution, which can lead to arbitrary code execution through a crafted file upload and specific HTTP requests. The affected versions are Kibana 8.15.0 to 8.17.2, and it has been remediated in version 8.17.3.

Vulnerability Details:

• CVE Identifier: CVE-2025-25015
• CVSS Score: 9.9
• Vulnerability Type: Prototype Pollution
• Affected Versions: Kibana 8.15.0 to 8.17.2
• Patched Version: 8.17.3
• Exploitation Requirements:
• Versions 8.15.0 to 8.17.1: Exploitable by users with the Viewer role.
• Versions 8.17.1 to 8.17.2: Requires privileges such as fleet-all, integrations-all, and actions:execute-advanced-connectors.
• Impact: Enables attackers to manipulate JavaScript objects, potentially allowing unauthorized access, privilege escalation, denial-of-service, or remote code execution.

Exploitation in the Wild:

Currently, there are no known reports of active exploitation in the wild, nor are there any known APT groups identified as using this vulnerability. However, given its critical nature, the potential for exploitation remains high, necessitating urgent patching to prevent potential threats.

Mitigation Strategies:

• Immediate Action: Upgrade Kibana to version 8.17.3.
• Configuration Adjustment: If immediate upgrading is not possible, disable the Integration Assistant feature by setting

  xpack.integration_assistant.enabled: false

  in the

  kibana.yml

  configuration file.
• Container Security: The exploitation is limited within the Kibana Docker container, and further exploitation is mitigated by seccomp-bpf and AppArmor profiles.

Past Related Vulnerabilities:

• CVE-2024-37287: A previous critical prototype pollution flaw in Kibana that could lead to code execution (CVSS score: 9.9).
• CVE-2024-37288 and CVE-2024-37285: Severe deserialization bugs resolved in the past that also permitted code execution.

References:

• The Hacker News Report on CVE-2025-25015
• Elastic Security Advisory
• Kudelski Security Research on CVE-2025-25012

Conclusion:

Organizations using Kibana are strongly advised to apply the latest updates as soon as possible to mitigate the risk posed by this critical vulnerability. Continuous monitoring and adherence to security advisories are crucial to safeguarding against emerging threats.