CVE-2025-25010
📋 TL;DR
This CVE describes an incorrect authorization vulnerability in Kibana where the built-in reporting_user role has excessive permissions, allowing it to access all Kibana Spaces. This enables privilege escalation where users with reporting_user privileges can access data in spaces they shouldn't have permission to view. Organizations using Kibana with the reporting_user role are affected.
💻 Affected Systems
- Elastic Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
An attacker with reporting_user credentials could access sensitive data across all Kibana Spaces, potentially exposing confidential business intelligence, logs, or monitoring data.
Likely Case
Internal users with reporting_user privileges inadvertently or intentionally access Kibana Spaces beyond their authorized scope, leading to data exposure and compliance violations.
If Mitigated
With proper role-based access controls and monitoring, impact is limited to unauthorized data viewing within the Kibana interface.
🎯 Exploit Status
Exploitation requires valid reporting_user credentials. The vulnerability is in role permissions configuration, not a code execution flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 9.0.6, 9.1.3
Vendor Advisory: https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426
Restart Required: Yes
Instructions:
1. Download Kibana 9.0.6 or 9.1.3 from Elastic website. 2. Stop Kibana service. 3. Backup configuration and data. 4. Install updated version. 5. Restart Kibana service. 6. Verify functionality.
🔧 Temporary Workarounds
Remove reporting_user role
allTemporarily remove or disable the reporting_user role until patching is complete
kibana_space_management_api_call_to_remove_role
Restrict reporting_user access
allManually adjust role permissions to limit space access
kibana_role_management_api_call_to_adjust_permissions
🧯 If You Can't Patch
- Audit all users with reporting_user role and review their access patterns
- Implement additional monitoring and alerting for unauthorized space access attempts
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via API: curl -X GET 'http://localhost:5601/api/status' or check installed package versionCheck Version:
curl -X GET 'http://localhost:5601/api/status' | grep versionVerify Fix Applied:
Verify Kibana version is 9.0.6 or 9.1.3 or higher, then test reporting_user role permissions to confirm space access is properly restricted📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns by reporting_user to multiple Kibana Spaces
- Failed authorization attempts followed by successful access
Network Indicators:
- API calls to spaces beyond expected scope for reporting_user
SIEM Query:
source:kibana AND (user:"reporting_user" OR role:"reporting_user") AND action:"access" AND space_id:*