Cyber Resilience

CVE-2025-25015

Critical

Published: 05 March 2025

Published
05 March 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0100 77.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25015 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Elastic Kibana. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

Prototype pollution in Kibana enables arbitrary code execution when an attacker supplies a crafted file upload followed by specially constructed HTTP requests. The flaw affects Kibana versions 8.15.0 through 8.17.2 and is tracked as CWE-1321; the CVSS 3.1 score is 9.9.

In versions 8.15.0 to 8.17.0, any user holding the Viewer role can trigger the vulnerability. In 8.17.1 and 8.17.2 the attack surface is narrower, requiring a role that possesses the fleet-all, integrations-all, and actions:execute-advanced-connectors privileges. Successful exploitation yields full code execution on the Kibana host.

Elastic’s security advisory recommends immediate upgrade to Kibana 8.17.3 or 8.16.6, which contain the fix. The associated EPSS score remains low (current 0.0100, peak 0.0128) with no material increase after disclosure.

EU & UK References

Vulnerability details

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1…

more

and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Prototype pollution vulnerability enables RCE on public-facing Kibana server via crafted requests/file upload; directly supports T1190 for exploiting the application and T1068 for escalating from low-priv roles (e.g., Viewer) to full code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42398Same product: Elastic Kibana
CVE-2024-43707Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-26938Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana
CVE-2026-26935Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-26937Same product: Elastic Kibana
CVE-2026-33458Same product: Elastic Kibana
CVE-2026-26936Same product: Elastic Kibana

Affected Assets

elastic
kibana
8.15.0 — 8.16.6 · 8.17.0 — 8.17.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2025-25015 by requiring timely application of Kibana security patches (e.g., 8.17.3 or 8.16.6) to eliminate the prototype pollution vulnerability.

prevent

Least privilege prevents exploitation by restricting Viewer role or required privileges (fleet-all, integrations-all, actions:execute-advanced-connectors) from performing crafted file uploads and HTTP requests.

prevent

Information input validation on file uploads and HTTP requests helps block crafted inputs that trigger prototype pollution leading to arbitrary code execution.

References