Elastic Stack Security Announcements

Kibana Insufficiently Protected Credentials in the CrowdStrike Connector (ESA-2025-19) Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from an Elastic Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. Affected Versions: 7.x: All versions prior to and including 7.17.29 8.x: All versions from 8.14.0 and up to and including 8.18.7 8.19.x: All versions from 8.19.0 and up to and including 8.19.4 9.0.x: All versions from 9.0.0 and up to and including 9.0.7 9.1.x: All versions from 9.1.0 and up to and including 9.1.4 Affected Configurations: Kibana instances using the CrowdStrike Connector Solutions and Mitigations: The issue is resolved in versions 8.18.8 or 8.19.5 or 9.0.8 or 9.1.5. For Users that Cannot Upgrade: There are no workarounds Severity: CVSSv3.1: Medium (5.4) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2025-37728 1 post – 1 participant Read full topic

Elasticsearch Insertion of sensitive information in log file (ESA-2025-18) Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x: All versions from 8.19.0 and up to and including 8.19.4 9.0.x: All versions from 9.0.0 and up to and including 9.0.7 9.1.x: All versions from 9.1.0 and up to and including 9.1.4 Affected Configurations: This affects deployments where all the below are true: Audit logging is enabled ( xpack.security.audit.enabled: true ) Audit logging is configured to contain authentication_success events ( xpack.security.audit.logfile.events.include includes authentication_success ) Audit logging is explicitly configured to capture request bodies ( xpack.security.audit.logfile.events.emit_request_body: true ). The default value is false. Solutions and Mitigations: The issue is resolved in version 8.18.8, 8.19.5, 9.0.8, 9.1.5. For Users that Cannot Upgrade: If the affected configuration is in use: Self-hosted Users can set xpack.security.audit.logfile.events.emit_request_body to false Cloud Users can set xpack.security.audit.logfile.events.emit_request_body to false Severity: CVSSv3.1: Medium(5.3) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2025-37727 1 post – 1 participant Read full topic

Kibana Stored Cross-Site-Scripting(XSS) (ESA-2025-17) Improper Validation of Specified Type of Input in Kibana can lead to stored Cross-Site-Scripting (XSS) Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x: All versions from 8.19.0 and up to and including 8.19.4 9.0.x: All versions from 9.0.0 and up to and including 9.0.7 9.1.x: All versions from 9.1.0 and up to and including 9.1.4 Affected Configurations: A malicious user would need to have a role that includes All permissions under Management for Fleet and Integrations. Solutions and Mitigations: Users should upgrade to version 8.18.8 or 8.19.5 or 9.0.8 or 9.1.5. Severity: CVSSv3.1: High (8.7) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE ID: CVE-2025-25018 1 post – 1 participant Read full topic

Kibana Cross-Site-Scripting (XSS) (ESA-2025-16) Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS) Affected Versions: 7.x: All versions from 7.0.0 and up to and including 7.17.29 8.x: All versions from 8.0.0 and up to and including 8.18.7 8.19.x: All versions from 8.19.0 and up to and including 8.19.3 9.0.x: All versions from 9.0.0 and up to and including 9.0.6 9.1.x: All versions from 9.1.0 and up to and including 9.1.3 Affected Configurations: All Kibana configurations are affected. Solutions and Mitigations: Users should upgrade to version 8.18.8 or 8.19.4 or 9.0.7 or 9.1.4. For Users that Cannot Upgrade: If you are unable to upgrade, you can select to disable Vega visualizations : Self-hosted For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana. Cloud For Elastic Cloud services deployments, you can reach out to Elastic Support to request that vega visualizations are disabled in your deployments. Severity: CVSSv3.1: 8.2 (High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N CVE ID: CVE-2025-25017 1 post – 1 participant Read full topic

Kibana Cross-Site Scripting (XSS) (ESA-2025-20) Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. Affected Versions: 7.x: All versions prior to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.18.7 8.19.x: All versions from 8.19.0 up to and including 8.19.4 9.0.x: All versions from 9.0.0 up to and including 9.0.7 9.1.x: All versions from 9.1.0 up to and including 9.1.4 Affected Configurations: The attacker requires the ability to upload files to Kibana, see https://www.elastic.co/docs/explore-analyze/alerts-cases/cases/manage-cases#add-case-files Solutions and Mitigations: Users should upgrade to the versions below or later: 8.18.8 8.19.5 9.0.8 9.1.5 For Users that Cannot Upgrade: Self-hosted & Cloud For versions >= 7.12 to < 9.0 user’s can set discover:searchFieldsFromSource: true in Advanced Settings There are no workarounds for 9.0+ Severity: CVSSv3.1: 8.7 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE ID: CVE-2025-25009 1 post – 1 participant Read full topic

Enterprise Search XML external entity (XXE) injection in Apache Tika (ESA-2025-15) On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provide a crafted XFA file within a PDF, read sensitive data, or trigger malicious requests to internal resources or third-party servers. This issue affects Enterprise Search, however the severity is reduced from critical to high due to the attacker requiring authentication. Threat actors can trigger the Apache Tika XXE vulnerability in Enterprise Search by providing a malformed PDF to be ingested, which can trigger unauthorized requests to internal resources or third-party servers, or could be used to read sensitive data. Affected Versions: 8.0.0 up to and including 8.19.2 Affected Configurations: Only Workplace Search is affected. App Search and Elastic Crawler users are not affected. Solutions and Mitigations: Users should upgrade to version 8.18.6, 8.19.3. Severity: CVSSv3.1: 8.8(High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MPR:L CVE ID: CVE-2025-54988 1 post – 1 participant Read full topic

Elasticsearch XML external entity (XXE) injection in Apache Tika (ESA-2025-14) On August 20, 2025, CVE-2025-54988 in Apache Tika PDF parser module was announced, disclosing an XML External Entity injection flaw in the Apache Tika tika-parser-pdf-module. This vulnerability allows an attacker to provide a crafted XFA file within a PDF, read sensitive data, or trigger malicious requests to internal resources or third-party servers. This issue affects Elasticsearch, however the severity is reduced from critical to high due to the attacker requiring authentication. Threat actors can trigger the Apache Tika XXE vulnerability in Elasticsearch by providing a malformed PDF to the ingest attachment processor, which can trigger unauthorized requests to internal resources or third-party servers, or could be used to read sensitive data. Affected Versions: 8.18.0 up to and including 8.18.5, 8.19.0 up to and including 8.19.2, 9.0.0 up to and including 9.0.5, 9.1.0 up to and including 9.1.2 Affected Configurations: Elasticsearch is affected by this only when using the ingest attachment processor. For ​​versions of Elasticsearch that use the Java Security Manager, which include 8.17.8 and below, the risk is mitigated as the Java Security Manager prevents the exploitation of the vulnerability. Solutions and Mitigations: Users should upgrade to version 8.18.6, 8.19.3, 9.0.6, and 9.1.3. For Users that Cannot Upgrade: We strongly recommend users to upgrade. The following workarounds will mitigate the security issue but can have a serious impact on data ingestion. Users that cannot upgrade could delete any ingest pipelines that call the “attachment” processor and handle untrusted PDF files. Note that this can cause ingest to fail or will produce data that has bypassed any enrichment or transformation logic that existed in the deleted pipelines. Find all pipelines that have an attachment processor with the Get Ingest Pipelines API: GET _ingest/pipeline This will return all pipelines in the system, with the key of each top-level object being the pipeline name. Look for any processors in the result that are labeled “attachment”, and record the pipeline name. Attempt to delete each of those pipelines with the Delete Ingest Pipeline API to delete the pipeline: DELETE _ingest/pipeline/pipeline1 Note that built-in pipelines, like search-default-ingestion, cannot be deleted. Calling the Delete Ingest Pipeline API will report success but the pipeline will be immediately recreated. Also ,attempts to delete some pipelines will fail with an “illegal_argument_exception” because those pipelines are configured to be the default or final pipeline of an index. An alternative is to delete the ingest attachment module on each Elasticsearch server, with the impact of any pipeline that uses the attachment processor failing. This means that any pipelines that transform data from various formats like Word, Excel, or PDF files would fail. Customers would not be able to ingest this data. Attempts to do so would get an HTTP response with status code “500”, and a root cause type of illegal_state_exception. This workaround can only be applied on Self-Hosted Elasticsearch Clusters. On each Elasticsearch node in a cluster, change to the Elasticsearch installations’s top-level directory Delete the ingest attachment module by calling “rm -Rf modules/ingest-attachment” Restart the Elasticsearch server Severity: CVSSv3.1: 8.8(High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MPR:L CVE ID: CVE-2025-54988 1 post – 1 participant Read full topic

Kibana privilege escalation via reporting_user role (ESA-2025-13) Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. Affected Versions: Kibana versions starting from and including 9.0.0, up to and including 9.0.5; and versions from and including 9.1.0 up to and including 9.1.2. Affected Configurations: This issue affects deployments which assign the built-in reporting_user role to end users. This role is not assigned to users by default. The reporting_user role in affected versions incorrectly grants users the ability to access all Kibana Spaces, with the following privileges: Read access to Discover, including the ability to generate reports. Read access to Dashboards, including the ability to generate reports. Read access to the Visualization Library, including the ability to generate reports. Read access to Canvas, including the ability to generate reports. The reporting_user role in versions prior to 9.0 did not grant access to any Kibana Spaces; it only granted reporting functionality within the Spaces users were already authorized to access. Important: This vulnerability does not violate configured index privileges. Users with the reporting_user role assigned will not have access to any additional user documents or indices. They will be able to access the aforementioned Kibana assets, but not the data within, unless their existing index privileges would otherwise grant access. Solutions and Mitigations: The issue is resolved in version 9.0.6 and 9.1.3. Note that versions prior to 9.0.0 are not affected. Any API Keys created by users with the reporting_user role in the affected versions will continue to have elevated privileges. Ensure these API Keys are invalidated to prevent unauthorized access to additional Spaces. For Users that Cannot Upgrade: Administrators should revoke the reporting_user role from their end users, and instead grant access to reporting functionality via custom roles which grant the appropriate access to reporting. Severity: CVSSv3.1: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2025-25010 1 post – 1 participant Read full topic

Updated: August 29, 2025 Elastic has been directly engaging with the independent researcher. After evaluating additional information provided by the researcher, our original assessment still stands. To confirm we are responsibly assessing this report and providing an unbiased perspective, we are engaging a neutral third-party to review the finding. For users of Elastic Defend, no action is required. On August 23rd, Elastic received additional data from the original researcher in the form of crash dumps and a proof of concept (PoC) involving an executable and a kernel driver. Since then, Elastic has been directly engaging with the researcher. The crash dumps were caused by a known stability issue in the 8.17.0 Elastic Defend driver which was first reported by a customer in April. We take such reports seriously, so we released a fix a week later in versions 8.17.6, 8.18.1, and 9.0.1 on May 6th, one month before the researcher’s initial bug report. A description of the bug is available in our release notes (IRQL_NOT_LESS_OR_EQUAL bugcheck). While primarily observed in the presence of Trellix, the bug could be reached through other third-party software or conditions. The PoC does not reproduce the bug detailed above nor does it demonstrate any new security bugs or vulnerabilities as stated in the researcher’s updated blog. Rather, it leverages administrator rights to enable test signing, reboot the system, then load a custom unsigned kernel driver. The driver unsuccessfully attempts to modify a non-writable region of our kernel driver’s memory at offset 0x120DD using the ExAcquireFastMutex function. Memory page protections block this attempt, resulting in a BSOD/bugcheck with a separate ATTEMPTED_WRITE_TO_READONLY_MEMORY error code. Because the non-writable address resides within our kernel driver’s memory range, the resulting blue screen unfortunately names our driver. With administrator rights being used to load a custom unsigned kernel driver, this approach can be used to target any driver on the system. In summary, the crash resulting from the researcher’s kernel driver PoC was due to a bug in the PoC code, and was unrelated to Elastic Defend.As with all software, we recommend users stay up to date with release notes and apply updates when they are available. We also recommend users practice least-privilege principals to minimize the prevalence of unnecessary administrator rights and to enable standard mitigations like Secure Boot and Hypervisor-Protected Code Integrity (HVCI). For users of Elastic Defend, no further action is required. To confirm we are responsibly assessing this report and providing an unbiased perspective, we are engaging a neutral third-party to review the finding. Elastic will continue to investigate any new reports received and provide updates should we discover any valid security issues. Updated: August 19, 2025 Elastic has reviewed additional evidence shared in a blog post on August 19th. Our prior assessment stands. For users of Elastic Defend, no action is required. On August 16, 2025, Elastic’s Information Security team became aware of a blog and social media posts suggesting an alleged vulnerability in Elastic Defend. Having conducted a thorough investigation, Elastic’s Security Engineering team has found no evidence supporting the claims of a vulnerability that bypasses EDR monitoring and enables remote code execution. While the researcher claims to be able to trigger a crash/BSOD in the Elastic Endpoint driver from an unprivileged process, the only demonstration they have provided does so from another kernel driver. Elastic will continue to investigate and will provide updates for our customers and community, should we discover any valid security issues. We request that any detailed information that demonstrates the ability to crash the driver from an unprivileged process be shared with us at security@elastic.co. Background Elastic values its partnership with the security community. We lead a mature and proactive bug bounty program, launched in 2017, which has awarded over $600,000 in bounty payments. The security researcher making the claim submitted multiple reports to Elastic claiming Remote Code Execution (RCE) and behavior rules bypass for Elastic EDR. The reports lacked evidence of reproducible exploits. Elastic Security Engineering and our bug bounty triage team completed a thorough analysis trying to reproduce these reports and were unable to do so. Researchers are required to share reproducible proof-of-concepts; however, they declined. By not sharing full details and publicly posting, the conduct of this security researcher is contrary to the principles of coordinated disclosure. The Elastic Secure Software Development Framework (SSDF) ensures Elastic software is developed securely to minimize the security risks to our customers, Elastic Products, and our software supply chain. The framework is aligned with best practices for secure software development, including NIST SSDF, OWASP SAMM, and BSIMM. Our product security testing program requirements include in-house and third-party testing for Software Composition Analysis (SCA), Static Secure Code Analysis (SAST), Dynamic Application Security Testing (DAST), Third-party Pentesting, Red Team Adversarial Attack Simulation, and other tests. Elastic implements procedures to receive, analyze, respond to, and remediate vulnerabilities disclosed to us from all sources. Vulnerability impact assessments are performed to review and validate security findings, determine if Elastic products are affected, rate the severity, and perform remediation in accordance with the impact. For issues that have a significant security impact on Elastic products, an Elastic Security Advisory (ESA) is published to notify our users of the issue and remediations. As a CNA, Elastic assigns both a CVE and an ESA identifier to each advisory. Advisories are announced in the Security Announcements forum and published to Mitre/NVD. 2 posts – 1 participant Read full topic

Beats Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer (ESA-2025-12) An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. Affected Versions: Beats up to and including 8.18.5, from version 8.19.0 up to and including 8.19.2, from version 9.0.0 up to and including 9.0.5. Affected Configurations: The issue only affects Beats when installed through the install-service script for Windows. Example when installing Filebeat using .\install-service-filebeat.ps1. Note: Elastic Agent is NOT affected because the Beats are installed in a different path C:\Program Files\Elastic\Agent Solutions and Mitigations: The issue is resolved in version 9.1.0. A maintenance release will be made available for versions 8.18.6, 8.19.3, and 9.0.6. For Users that Cannot Upgrade: To resolve the issue for users that cannot upgrade, Beats can be uninstalled and re-installed using the install script from a patched version. Note: Beats keeps its state in the data path. When re-installing Beats, users need to make sure they have permissions to move the Beats data folder to the new location in C:\Program Files. The new installation script will move the data folder. In the event the script fails, the user will need to manually copy the data folder – this is likely due to permission error. Step-by-step using Filebeat as an example: Download the latest Filebeat (e.g. 9.1.1) Start a Powershell as administrator Stop the Filebeat service: stop-service filebeat Extract the downloaded filebeat: Expand-Archive .\filebeat-9.1.1-windows-x86_64.zip Copy the install script onto the current Filebeat installation: cp .\filebeat-9.1.1-windows-x86_64\filebeat-9.1.1-windows-x86_64\install-service-filebeat.ps1 ‘C:\Program Files\Filebeat\install-service-filebeat.ps1’ Uninstall the Windows service: .\uninstall-service-filebeat.ps1 Re-install using the new script: ‘C:\Program Files\Filebeat\install-service-filebeat.ps1’ Severity: CVSSv3.1: 7.0 (High) – CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2025-25011 ________________________________________________________________________________________________ Change log 2025-08-21: Updated “Affected Verions” to coincide with the maintenance releases Updated wording on the “Affected Configurations” to clearly state this is caused by the Windows install script. Stated that Elastic Agent is not affected Updated “Solutions and Mitigations” to include the maintenance release versions Added section “For Users that Cannot Upgrade” with guidance on how to use the patched install script with an older version of the product 1 post – 1 participant Read full topic

APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer (ESA-2025-01) An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. Affected Versions: APM Server version up to and including 8.16.2, and up to and including 8.17.0. Affected Configurations: The issue only affects APM Server when installed through the install-service script for Windows. Solutions and Mitigations: The issue is resolved in version 8.16.3 and 8.17.1. Severity: CVSSv3.1: 7.0 (High) – CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2025-0712 ________________________________________________________________________________________________ Change log 2025-08-21: Updated wording on the “Affected Configurations” to clearly state this is caused by the Windows install script. 1 post – 1 participant Read full topic

Kibana Open Redirect (ESA-2025-10) URL redirection to an untrusted site (‘Open Redirect’) in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. Affected Versions: Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2 Affected Configurations: Kibana installations making use of Short URLs within the Discover, Dashboard, and Visualization Library features. Solutions and Mitigations: The issue is resolved in version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3. For Users that Cannot Upgrade: Self-hosted Installations with a Basic license should have administrators restrict access to Kibana features which grant the ability to generate Short URLs: Dashboard => All Discover => All Visualize =>All Saved Objects Management => All Top-level “All” privilege granted to one or more spaces Installations with a Gold, Platinum, or Enterprise license can restrict access to short-url creation via sub-feature privileges within the Dashboard, Discover, and Visualize features above. This will allow administrators to continue allowing read/write access to the aforementioned features, but restrict the ability to generate Short URLs. Cloud Administrators should restrict access to Kibana features which grant the ability to generate Short URLs: Dashboard => All Discover => All Visualize =>All Saved Objects Management => All Top-level “All” privilege granted to one or more spaces Administrators can optionally restrict access to short-url creation via sub-feature privileges within the Dashboard, Discover, and Visualize features above. This will permit read/write access to the aforementioned features, but restrict the ability to generate Short URLs. Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2025-25012 1 post – 1 participant Read full topic

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion (ESA-2025-09) On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability. Affected Versions: Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2 Affected Configurations: Self-hosted and Elastic Cloud Kibana instances where PDF or PNG reporting is used. CSV reporting is not impacted. Serverless projects are not impacted. Solutions and Mitigations: Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3. For Users that Cannot Upgrade: Self-hosted Disable Reporting: The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file. OR Limit access to users who can generate PDF/PNG reports to trusted accounts: 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access OR Configure reporting with a restrictive network policy, to prevent unauthorized redirection to an attacker-controlled site: If a network policy is configured. Note: if a network policy is configured, then you must include a rule which allows Chromium to connect to Kibana for report generation to succeed. Typically, Chromium will connect to Kibana on a local interface, but may be different based on the environment and your specific headless browser connection settings. # kibana.yml xpack.screenshotting.networkPolicy: rules: [ { allow: true, host: “localhost:5601” } ] Cloud On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced. Users who cannot upgrade can choose to take a precautionary measure by Disabling the Reporting feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration: xpack.reporting.enabled: false Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings OR Limit access to users who can generate PDF/PNG reports to trusted accounts: a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access Severity: CVSSv3.1: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2025-2135 1 post – 1 participant Read full topic

Kibana Improper Authorization (ESA-2024-21) Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. Affected Versions: Kibana versions before and including 8.12.0. Solutions and Mitigations: The issue is resolved in versions 8.12.1. For Users that Cannot Upgrade: Self-hosted: Users with a self-hosted deployment who cannot upgrade can disable the synthetics app OR put a block on synthetics indices. Disable the synthetics by adding xpack.uptime.enabled: false to their kibana.yml file Put an index block on the synthetics-* indices to make them read-only see Elastic Cloud: Users on an Elastic Cloud deployment who cannot upgrade can put a block on synthetics indices Put an index block on the synthetics-* indices to make them read-only see Severity: High (7.6) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/CR:M/IR:M/AR:M CVE ID: CVE-2024-43706 1 post – 1 participant Read full topic

Logstash Improper Certificate Validation in TCP output (ESA-2025-08) Improper certificate validation in Logstash’s TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set. Affected Versions: All versions prior to 8.17.6, as well as version 8.18.0 and version 9.0.0. Affected Configurations: This issue affects the TCP output plugin when run in “client” mode and ssl_verification_mode => full is set to full (the default). Solutions and Mitigations: The issue is resolved in version 8.17.6, 8.18.1, and 9.0.1. Alternatively, users may also upgrade the TCP output plugin to 6.2.2 or 7.0.1 by running bin/logstash-plugin update logstash-output-tcp. Severity: CVSSv3.1: 5.9 (Medium) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVE ID: CVE-2025-37730 1 post – 1 participant Read full topic

Kibana arbitrary code execution via prototype pollution (ESA-2025-07) A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected Versions: 8.3.0 to 8.17.5, and 8.18.0, and 9.0.0 Affected Configurations: Self-hosted and Elastic Cloud deployments with both Kibana’s Machine Learning and Reporting features enabled. Solutions and Mitigations: Users should upgrade to version 8.17.6, 8.18.1, or 9.0.1. For Users that Cannot Upgrade: Self-hosted Users with a self-hosted deployment who cannot upgrade should disable either Machine Learning OR Reporting. Disable Machine Learning: The Machine Learning feature can be disabled by adding xpack.ml.enabled: false to the elasticsearch.yml file. Alternatively, users can disable just the anomaly detection feature by adding xpack.ml.ad.enabled: false to the kibana.yml file. OR Disable Reporting: The Reporting feature can be disabled by adding xpack.reporting.enabled: false to the kibana.yml file. Elastic Cloud On Elastic Cloud the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. With these counter-measures the risk is reduced. Users who cannot upgrade can choose to take a further measure by disabling the “Reporting” feature for Elastic Cloud deployments. This can be achieved by modifying the Kibana user settings to include the following configuration: xpack.reporting.enabled: false Instructions for editing Kibana user settings on Elastic Cloud are available at https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings Severity: CVSSv3.1: 9.1 (Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2025-25014 Changes 2025-05-14: Created separate sections for self-hosted and Elastic Cloud under the section “For Users that Cannot Upgrade:”. Clarification on what counter-measures are in place for Elastic Cloud hosted deployments and made clear what configuration changes can be achieved based on deployment. 2025-05-08: Previously the document stated that xpack.ml.enabled: false is set in the kibana.yml file however, this should have read elasticsearch.yml. The document has been updated accordingly. 1 post – 1 participant Read full topic

Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS (ESA-2024-20) Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. Affected Versions: 7.17.6 up to and including 7.17.23 and 8.4.0 up to and including 8.11.4 Solutions and Mitigations: The issue is resolved in Kibana 7.17.24 and 8.12.0 Severity: CVSSv3: 5.4 (Medium) – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2024-11390 1 post – 1 participant Read full topic

Kibana Unrestricted Upload of File (ESA-2024-47) Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Affected Versions: 7.17.0 to 7.17.18 and 8.0.0 to 8.12.3 Solutions and Mitigations: The issue is resolved in version 7.17.19 or higher, and 8.13.0 or higher. Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2025-25016 1 post – 1 participant Read full topic

APM Server Insertion of Sensitive Information into Log File (ESA-2024-41) APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs. Affected Versions: APM Server versions > 8.0.0 and < 8.16.1 Solutions and Mitigations: The issue is resolved in version 8.16.1 Severity: CVSSv3: 5.7(Medium) – AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-11994 1 post – 1 participant Read full topic

Elasticsearch Uncontrolled Resource Consumption vulnerability(ESA-2024-40) Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. Affected Versions: Elasticsearch versions < 7.17.25 and Elasticsearch versions < 8.16.0 Solutions and Mitigations: The issue is resolved in versions 7.17.25 and 8.16.0 Severity: CVSSv3.1: 6.5 (Medium) AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52979 1 post – 1 participant Read full topic

Elastic Agent Inclusion of Functionality from Untrusted Control Sphere (ESA-2024-39) Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations. Affected Versions: Elastic Agent <= 7.17.24 and Elastic Agent <= 8.15.3 Solutions and Mitigations: The issue is resolved in version 7.17.25 and 8.15.4 or greater. Severity: CVSSv3.1: 4.4 (Medium) – CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N} CVE ID: CVE-2024-52976 1 post – 1 participant Read full topic

Logstash affected by CVE-2024-47561 in Apache Avro (ESA-2024-38) On October 3, 2024, CVE-2024-47561 was published, which can lead to execution of arbitrary code. The issue only affects users using the Kafka integration plugin and only if a malicious schema is loaded through the schema registry. Additionally both the Kafka input and output plugins are also vulnerable if a user created Serializer/Deserializer classes that takes an Avro Schema Affected Versions: <= 8.15.2 Solutions and Mitigations: Users should upgrade to Logstash version 8.15.3 where Apache Avro has been updated to version 11.5.2. For Users that Cannot Upgrade: Users can manually upgrade the logstash-integration-kafka plugin to 11.5.2 Severity: CVSSv3.1: 7.2 (High) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2024-47561 1 post – 1 participant Read full topic

Elastic Agent / Elastic Endpoint Security local API key disclosure (ESA-2025-03) Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. Affected Versions: Elastic Agent and Elastic Endpoint Security versions < 8.15.0 Solutions and Mitigations: The issue is resolved in version 8.15.0. Severity: CVSSv3.1: 6.2 (Medium) – AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2023-46669 1 post – 1 participant Read full topic

Elasticsearch Uncontrolled Resource Consumption vulnerability (ESA-2024-37) An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. Affected Versions: Elasticsearch versions 7.17.0 to 7.17.23 and 8.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 7.17.24 or higher, or version 8.15.1 or higher. Severity: CVSS v3.1: 4.9 (Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-52981 2025-04-25 Update: added version 7.17.24 to solutions and mitigations 1 post – 1 participant Read full topic

Kibana Uncontrolled Resource Consumption vulnerability (ESA-2024-36) An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. Affected Versions: Kibana versions 7.17.0 to 7.17.22 and versions 8.0.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. Severity: CVSS v3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52974 1 post – 1 participant Read full topic