- 220/2025
- High
Elastic has released security updates to address several vulnerabilities affecting multiple Elastic products.
The addressed vulnerabilities could allow the attacker to perform cross-site scripting attacks, obtain sensitive information, or gain elevated privileges to the affected products.
Sample of the addressed vulnerabilities:
1. Elastic Kibana Cross-Site Scripting Vulnerability (CVE-2025-25009):
- CVSS: 8.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Scripting
2. Elastic Kibana Privilege Escalation Vulnerability (CVE-2025-25010):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
Sample of the affected products:
- Kibana all versions from 8.19.0 up to and including 8.19.4.
- Kibana all versions from 7.0.0 up to and including 7.17.29.
- Elasticsearch all versions from 9.1.0 up to and including 9.1.4.
Vulnerabilities
- CVE-2025-25009
- CVE-2025-25010
- CVE-2025-37728
- CVE-2025-37727
- CVE-2025-25018
- CVE-2025-25017
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.