CVE-2025-25015
Published: 05 March 2025
Summary
CVE-2025-25015 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Elastic Kibana. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2025-25015 by requiring timely application of Kibana security patches (e.g., 8.17.3 or 8.16.6) to eliminate the prototype pollution vulnerability.
Least privilege prevents exploitation by restricting Viewer role or required privileges (fleet-all, integrations-all, actions:execute-advanced-connectors) from performing crafted file uploads and HTTP requests.
Information input validation on file uploads and HTTP requests helps block crafted inputs that trigger prototype pollution leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution vulnerability enables RCE on public-facing Kibana server via crafted requests/file upload; directly supports T1190 for exploiting the application and T1068 for escalating from low-priv roles (e.g., Viewer) to full code execution.
NVD Description
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1…
more
and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors
Deeper analysisAI
CVE-2025-25015 is a prototype pollution vulnerability in Kibana that enables arbitrary code execution through a crafted file upload combined with specifically crafted HTTP requests. The vulnerability affects Kibana versions 8.15.0 and later up to but not including 8.17.1, as well as versions 8.17.1 and 8.17.2. It is classified under CWE-1321 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability in a high-scope scenario.
The vulnerability can be exploited by authenticated users depending on the Kibana version. In versions from 8.15.0 up to but not including 8.17.1, users with the Viewer role can trigger it remotely. In versions 8.17.1 and 8.17.2, exploitation requires users with roles granting all of the following privileges: fleet-all, integrations-all, and actions:execute-advanced-connectors. Successful exploitation leads to arbitrary code execution on the Kibana server.
The Elastic Security Advisory ESA-2025-06, detailed at https://discuss.elastic.co/t/kibana-8-17-3-8-16-6-security-update-esa-2025-06/375441, addresses this issue with security updates for Kibana versions 8.17.3 and 8.16.6, recommending upgrades to these patched releases for mitigation.
Details
- CWE(s)