CVE-2025-37728
📋 TL;DR
This vulnerability allows a malicious user with access to a Kibana space to create a Crowdstrike connector and retrieve cached credentials from other spaces. It affects Kibana instances with the Crowdstrike connector enabled where multiple spaces exist.
💻 Affected Systems
- Elastic Kibana
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal Crowdstrike API credentials, potentially gaining unauthorized access to Crowdstrike security data and systems.
Likely Case
Internal users with space access could inadvertently or intentionally access credentials from other spaces, leading to credential exposure.
If Mitigated
With proper space isolation and access controls, only authorized users could access their own space credentials.
🎯 Exploit Status
Requires authenticated access to a Kibana space and knowledge of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.18.8, 8.19.5, 9.0.8, 9.1.5
Vendor Advisory: https://discuss.elastic.co/t/kibana-crowdstrike-connector-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-19/382455
Restart Required: Yes
Instructions:
1. Identify your Kibana version. 2. Upgrade to the patched version matching your major release. 3. Restart Kibana service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Crowdstrike Connector
allTemporarily disable the Crowdstrike connector if not essential.
# Kibana configuration - set xpack.actions.preconfigured to exclude Crowdstrike
Restrict Space Access
allLimit user access to only necessary spaces to reduce attack surface.
# Use Kibana role-based access control to restrict space permissions
🧯 If You Can't Patch
- Implement strict access controls to limit which users can create connectors in spaces.
- Monitor for unusual connector creation activities and audit space access logs regularly.
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via Kibana UI (Management > Stack Management > License Management) or API GET /api/status.Check Version:
curl -X GET 'http://localhost:5601/api/status' -H 'kbn-xsrf: true'Verify Fix Applied:
Confirm version is 8.18.8, 8.19.5, 9.0.8, or 9.1.5 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual Crowdstrike connector creation events
- Multiple failed credential access attempts across spaces
Network Indicators:
- Unexpected API calls to Crowdstrike endpoints from Kibana
SIEM Query:
source:kibana AND ("connector created" OR "crowdstrike") AND action:space_access