AI description
CVE-2025-25015 is a critical prototype pollution vulnerability in Elastic Kibana, a popular data visualization and exploration platform for Elasticsearch. Exploitation involves a crafted file upload combined with specially crafted HTTP requests, enabling attackers to execute arbitrary code on affected systems. The impact differs based on the Kibana version: versions 8.15.0 through 8.17.0 are exploitable by users with the 'Viewer' role, while versions 8.17.1 and 8.17.2 are exploitable by users possessing specific privileges like "fleet-all," "integrations-all," or "actions:execute-advanced-connectors." Kibana is a widely used tool for visualizing and analyzing data indexed in Elasticsearch, providing visualization capabilities on top of the indexed content. The vulnerability affects all versions of Kibana prior to 8.17.3. Users and administrators are strongly urged to update to version 8.17.3 or later to mitigate the risk of exploitation.
- Description
- Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
- Source
- bressers@elastic.co
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- bressers@elastic.co
- CWE-1321
- Hype score
- Not currently trending
🚨 Alertă: Vulnerabilitate critică în Kibana! CVE-2025-25015 permite atacatorilor să execute cod arbitrar pe versiunile 8.15.0 – 8.17.2. 🔐 Actualizați la 8.17.3 și restricționați accesul! Detalii 👉 https://t.co/kXAFpSnZtL #DNSC #Cybersecurit https://t.co/URZiMcus4M
@DNSC_RO
7 Mar 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Společnost Elastic, vyvíjející systémy ELK, vydává záplatu pro kritickou zranitelnost CVE-2025-25015 (CVSS skóre 9.9) týkající se software Kibana pro vizualizaci dat. Tato chyba byla typu Prototype pollution, kdy útočník mohl pomocí speciálně vytvořeného souboru a HTTP… https:
@AlefSecurity
7 Mar 2025
88 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Attacco JavaScript a migliaia di siti WordPress e grave falla in Kibana Sicurezza Informatica, backdoor, CVE-2025-25015, cybersecurity, exploit remoto, javascript, Kibana, prototype pollution, Wordpress https://t.co/AKQX4BeO1z https://t.co/Sji6ebibq2
@matricedigitale
7 Mar 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🗞️ Elastic Rolls Out Urgent Fix for Critical Kibana Flaw Enabling Remote Code Execution Elastic dropped a critical patch for a Kibana flaw (CVE-2025-25015, CVSS 9.9) that could let attackers run code remotely—update to 8.17.3 ASAP! Prototype pollution’s the culprit, and this…
@gossy_84
7 Mar 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 CVE-2025-25015 Kibana Prototype Pollution vulnerability requires authentication with the following privileges: fleet-all, integrations-all, and actions:execute-advanced-connectors 📌 CVE-2025-25012: A typo of CVE-2025-25015 Details are here: https://t.co/E5ginMj2FQ
@vulmoncom
7 Mar 2025
52 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨CRITICAL ALERT🚨 CVE-2025-25015 (CVSS: 9.9) drops a bombshell: Kibana vuln via prototype pollution = arbitrary code execution. Crafted file uploads + sneaky HTTP requests = game over. ZoomEye Dork👉app="Kibana" 198k+ exposed instances spotted already! Check it:… https://t.co
@zoomeye_team
6 Mar 2025
520 Impressions
3 Retweets
4 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨CRITICAL ALERT🚨 CVE-2025-25015 (CVSS: 9.9) drops a bombshell: Kibana vuln via prototype pollution = arbitrary code execution. Crafted file uploads + sneaky HTTP requests = game over. ZoomEye Dork👉app="Kibana" 198k+ exposed instances spotted already! Check it:… https://t.co
@zoomeye_team
6 Mar 2025
35 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-25015: Kibana arbitrary code execution via prototype pollution https://t.co/uriUtpB1rd
@DarkWebInformer
5 Mar 2025
4496 Impressions
7 Retweets
26 Likes
11 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-25015 ⚠️🔴 CRITICAL (9.9) 🏢 Elastic - Kibana 🏗️ 8.15.0 🔗 https://t.co/ExiOYXVhJz #CyberCron #VulnAlert #InfoSec https://t.co/QguVuFt7wk
@cybercronai
5 Mar 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-25015: CRITICAL] Warning: In Kibana >=8.15.0 & <8.17.1, a serious security issue allows arbitrary code execution through a crafted file upload & HTTP requests. Only certain users can exploit this vulner...#cybersecurity,#vulnerability https://t.co/eRjcQZQU
@CveFindCom
5 Mar 2025
74 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes