Security update: Critical malware vulnerability threatens Kibana

If attackers successfully exploit a vulnerability in Kibana, they can infect systems with malicious code. However, attacks are not always possible without further ado. A protected version is available for download.

Critical malicious code vulnerability

As the developers explain in a product announcement, versions >= 8.15.0 and < 8.17.1 can only be attacked if attackers have viewer role rights. As a prerequisite for attacks on versions 8.17.1 and 8.17.2, attackers must have rights with these privileges: fleet-all, integrations-all, actions:execute-advanced-connectors.

If this is the case, they can execute malicious code on systems by uploading a prepared file and sending manipulated HTTP requests. Thereafter, computers are usually completely compromised. This is why the vulnerability (CVE-2025-25012) is classified as "critical". With a CVSS score of 3.1 9.9 out of 10, the vulnerability just misses the top rating.

Patch or workaround

The developers state that they have prepared version 8.17.3 against the described attack. If admins are unable to install the update immediately, they should protect their installations with a workaround. To achieve this, they must adjust the following value in the Kibana configuration: xpack.integration_assistant.enabled: false.

So far, there have been no reports of attackers exploiting the vulnerability. However, admins should not take the danger lightly and take care of the security problem promptly. Unfortunately, there is no information in the warning message as to which indicators of compromise (IoC) admins can use to recognize systems that have already been attacked.

(des)