A critical vulnerability (CVE-2025-37728) was discovered in Elastic’s **Kibana CrowdStrike Connector**, where insufficient credential isolation in a shared cache allowed authenticated attackers across different Kibana spaces to access stored **CrowdStrike API keys**. While the flaw does not enable direct data modification or deletion, leaked credentials could be abused to query CrowdStrike APIs, exfiltrate sensitive **threat intelligence data**, and potentially disrupt **incident response workflows**. The vulnerability affects multiple Kibana versions (7.x, 8.x, early 9.x) and was rated **Medium severity (CVSS 3.1: 5.4)**, requiring limited privileges and user interaction. Elastic released patches (8.18.8, 8.19.5, 9.0.8, 9.1.5) and urged immediate upgrades, as no workarounds exist. Organizations were advised to **rotate exposed API keys**, review access controls, and monitor connector health to prevent exploitation. Failure to patch risks unauthorized access to **security-critical APIs**, compromising operational integrity and threat detection capabilities.
Source: https://cyberpress.org/kibana-crowdstrike-connector-vulnerability/
TPRM report: https://www.rankiteo.com/company/elastic-co
"id": "ela3593435100725",
"linkid": "elastic-co",
"type": "Vulnerability",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': ['Technology',
'Cybersecurity',
'IT Operations'],
'location': 'Global',
'name': 'Elastic (Kibana Users)',
'type': ['Software Vendor', 'Enterprise Users']}],
'attack_vector': ['Improper Access Control',
'Insufficient Credential Isolation',
'Shared Cache Exploitation'],
'customer_advisories': ['Verify Kibana versions, apply patches, and rotate '
'CrowdStrike API keys'],
'data_breach': {'data_exfiltration': ['Potential (if credentials are abused)'],
'sensitivity_of_data': 'High (CrowdStrike API keys enable '
'threat intelligence access)',
'type_of_data_compromised': ['API Credentials']},
'description': 'A critical security issue in the Kibana CrowdStrike Connector '
'(CVE-2025-37728) allows attackers to access stored '
'CrowdStrike credentials across different spaces within the '
'same deployment. The flaw stems from insufficient protection '
'of credentials cached when the connector is created in one '
'workspace, enabling malicious users with access to any other '
'space in the same Kibana instance to retrieve cached '
'credentials belonging to a different space. While no direct '
'data modification or deletion is possible, leaked credentials '
'can enable attackers to query CrowdStrike APIs, gather '
'sensitive threat intelligence, and potentially manipulate '
'incident response workflows.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'credential leakage'],
'data_compromised': ['CrowdStrike API Credentials'],
'operational_impact': ['Potential disruption to threat '
'intelligence workflows',
'Incident response process manipulation '
'risk'],
'systems_affected': ['Kibana (with CrowdStrike Connector)']},
'investigation_status': 'Resolved (Patches released; user action required)',
'lessons_learned': ['Importance of credential isolation in multi-tenant '
'environments',
'Need for timely patch management to mitigate known '
'vulnerabilities',
'Criticality of rotating exposed credentials '
'post-incident',
'Value of monitoring access controls across shared '
'spaces'],
'motivation': ['Unauthorized Access',
'Credential Theft',
'Threat Intelligence Gathering',
'Incident Response Manipulation'],
'post_incident_analysis': {'corrective_actions': ['Patched Kibana versions '
'enforce proper credential '
'isolation',
'Users must upgrade and '
'rotate exposed keys'],
'root_causes': ['Insufficient isolation controls '
'in Kibana’s shared credential '
'cache',
'Lack of workspace-specific access '
'restrictions for cached '
'credentials']},
'recommendations': ['Upgrade Kibana to patched versions (8.18.8, 8.19.5, '
'9.0.8, 9.1.5) immediately',
'Rotate all CrowdStrike API keys potentially exposed '
'prior to patching',
'Review and harden access controls for Kibana spaces',
'Implement least-privilege principles for connector '
'configurations',
'Monitor for anomalous CrowdStrike API activity',
'Subscribe to Elastic’s security advisories for proactive '
'updates'],
'references': [{'source': 'Elastic Security Advisory'},
{'source': 'CVE-2025-37728 Details'}],
'response': {'containment_measures': ['Immediate upgrade to patched Kibana '
'versions (8.18.8, 8.19.5, 9.0.8, '
'9.1.5)'],
'enhanced_monitoring': ['Monitor for unauthorized CrowdStrike '
'API queries'],
'recovery_measures': ['Monitor Elastic’s security announcements '
'for updates'],
'remediation_measures': ['Rotate exposed CrowdStrike API keys',
'Review CrowdStrike Connector '
'configurations post-upgrade',
'Engage security teams to verify '
'connector health',
'Review access controls across Kibana '
'spaces']},
'stakeholder_advisories': ['Elastic urges immediate upgrades and credential '
'rotation'],
'title': 'CVE-2025-37728: Kibana CrowdStrike Connector Credential Leak '
'Vulnerability',
'type': ['Vulnerability', 'Credential Disclosure', 'Information Leak'],
'vulnerability_exploited': 'CVE-2025-37728 (Insufficient protection of '
'CrowdStrike Connector credentials in shared '
'cache)'}