A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses at risk, with attackers able to execute arbitrary code on vulnerable systems.
The flaw, identified as CVE-2025-25014, carries a critical CVSS score of 9.1, underscoring the urgency for organizations to update their deployments immediately.
Elastic, the company behind Kibana, announced [ESA-2025-07] a critical prototype pollution vulnerability that allows an attacker to execute arbitrary code remotely.
.png
)
The flaw can be exploited through crafted HTTP requests targeting Kibana’s Machine Learning and Reporting endpoints.
“This vulnerability could allow an attacker with access privileges to compromise data integrity and system availability,” Elastic stated in their official announcement.
The primary risk arises when both the Machine Learning and Reporting features are enabled on affected instances.
Impacted Versions and Products
The vulnerability affects multiple versions of Kibana, both in self-hosted setups and Elastic Cloud deployments.
| Product | Affected Versions | Safe Versions |
| Kibana | 8.3.0 – 8.17.5 | 8.17.6 |
| 8.18.0 | 8.18.1 | |
| 9.0.0 | 9.0.1 |
Users running any of the above affected versions with both Machine Learning and Reporting features enabled are at risk. This includes both self-hosted installations and Elastic Cloud users.
Immediate Recommendations
- Upgrade: Elastic strongly advises upgrading to the fixed versions: 8.17.6, 8.18.1, or 9.0.1.
- If You Can’t Upgrade:
- Disable Machine Learning: Add xpack.ml.enabled: false to your kibana.yml.
- Or Disable Reporting: Add xpack.reporting.enabled: false to your kibana.yml.
Elastic also provides an option for self-hosted users to disable just the anomaly detection feature via xpack.ml.ad.enabled: faNo known exploits are reported in the wild yet, but the potential impact is severe-enabling attackers to compromise sensitive business data and disrupt operations.
Organizations using Kibana are urged to review their deployments and act immediately.
Delaying mitigation could expose critical systems to sophisticated attacks capable of hijacking infrastructure and stealing sensitive data.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
