Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

The Hacker News by The Hacker News
March 6, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Mar 06, 2025Ravie LakshmananData Security / Software Security

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution.

“Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests,” the company said in an advisory released Wednesday.

Prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application’s JavaScript objects and properties, potentially leading to unauthorized data access, privilege escalation, denial-of-service, or remote code execution.

The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It has been addressed in version 8.17.3.

Cybersecurity

That said, in Kibana versions from 8.15.0 and prior to 8.17.1, the vulnerability is exploitable only by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2, it can only be exploited by users that have all the below-mentioned privileges –

  • fleet-all
  • integrations-all
  • actions:execute-advanced-connectors

Users are advised to take steps to apply the latest fixes to safeguard against potential threats. In the event immediate patching is not an option, users are recommended to set the Integration Assistant feature flag to false (“xpack.integration_assistant.enabled: false”) in Kibana’s configuration (“kibana.yml”).

In August 2024, Elastic addressed another critical prototype pollution flaw in Kibana (CVE-2024-37287, CVSS score: 9.9) that could lead to code execution. A month later, it resolved two severe deserialization bugs (CVE-2024-37288, CVSS score: 9.9 and CVE-2024-37285, CVSS score: 9.1) that could also permit arbitrary code execution.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Stocks making the biggest moves premarket: Marvell Technology, MongoDB, Macy’s, Alibaba and more

Stocks making the biggest moves premarket: Marvell Technology, MongoDB, Macy's, Alibaba and more

Recommended.

HUAWEI eKit представляет более 20 передовых продуктов для цифровой и интеллектуальной трансформации малого и среднего бизнеса

HUAWEI eKit представляет более 20 передовых продуктов для цифровой и интеллектуальной трансформации малого и среднего бизнеса

March 12, 2025
Match Group to Present at the Barclays Global Technology Conference

Match Group to Present at the Barclays Global Technology Conference

November 25, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio