Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks
Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks
Continue ReadingPrivilege escalation
Cisco Splunk Enterprise Security Patch Fixed Windows Permissions Misconfiguration
2 critical vulnerabilities affecting Splunk Enterprise and Splunk Universal Forwarder on Windows platforms were disclosed, both involving incorrect permission assignments during installation or upgrade. The vulnerabilities addressed may enable attackers to exploit issues such as privilege escalation, information disclosure, or remote code execution.
Continue Reading
Android Security Patch December 2025 Fixed 100+ Vulnerabilities Including Zero-Days
Android security Patch: Google has released the Android Security update for December 2025 addressing over 100 vulnerabilities and two actively exploited zero-day vulnerabilities across Framework, System, Kernel, and vendor components like Qualcomm, MediaTek, and Unisoc.
The most severe issues include a critical remote denial-of-service flaw in Framework and multiple zero-day elevation-of-privilege vulnerabilities actively exploited.
| OEM | Google Android |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-48631, CVE-2025-48633, CVE-2025-48572 & 104 more CVEs |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These flaws could enable attackers to crash devices remotely, escalate privileges locally, or disclose sensitive data without additional execution privileges. Android users are urged to immediate updates as soon as available.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Remote Denial-of-Service Vulnerability | CVE-2025-48631 | Android Framework | Critical | Dec 2025 Android Security Update |
| Information Disclosure Zero-Day Vulnerability | CVE-2025-48633 | Android Framework | High | Dec 2025 Android Security Update |
| Elevation of Privilege Zero-Day Vulnerability | CVE-2025-48572 | Android Framework | High | Dec 2025 Android Security Update |
Technical Summary
The December 2025 Android vulnerabilities primarily impact Framework (remote DoS, EoP, ID), System (local privilege escalation), and Kernel (pKVM/IOMMU flaws), with additional high-severity issues in vendor components from Qualcomm, MediaTek, Arm and Unisoc. Critical zero-days like the Framework remote DoS enable attacker-initiated crashes without privileges, while EoP flaws allow local escalation for background activity launch or data access.
Organizations and users should treat these vulnerabilities as critical due to active exploitation. Updating all devices to the 2025 December, security patch level is strongly recommended to stay protected.
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-48631 | Framework vulnerability that allows a remote attacker to cause a device crash, reboot loop, or render it unresponsive without requiring additional privileges or user interaction. | Remote device crash, Denial of service |
| CVE-2025-48633 | This exploiting framework information disclosure flaw that exposes sensitive internal system data, enabling attacker reconnaissance or exploit chaining | Data leakage, privacy violation |
| CVE-2025-48572 | This exploiting elevation of privilege vulnerability within the Framework that allows attackers to gain higher system privileges, enabling unauthorized operations | Privilege escalation, arbitrary code execution |
These additional vulnerabilities include 104 other Critical and High-severity issues that could allow data exposure, system instability, or service disruptions. Applying the latest update is important as these vulnerabilities still have significant security risks if left unpatched.
Remediation:
- Update all Android devices to the latest Security Patch when it’s available.
Conclusion:
These vulnerabilities, including actively exploited zero-days, pose severe risks to Android devices enabling remote crashes, privilege escalation, and data exposure. It is recommended to update to the both personal and enterprise Android devices to the latest security patch for December, 2025.
References:
Microsoft Patched Critical Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue Reading
Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now
Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-11-11 |
| No. of Patches | 63 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview : Key Updates on Patch Tuesday
The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe.
This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 63 Microsoft CVEs addressed
- 5 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 29 Elevation of Privilege (EoP)
- 16 Remote Code Execution (RCE)
- 11 Information Disclosure
- 3 Denial of Service (DoS)
- 2 Security Feature Bypass
- 2 Spoofing
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) | CVE-2025-62215 | Windows 10, 11, Server 2016–2022 | Critical | 9.0 |
| Microsoft Office Use-After-Free Remote Code Execution Vulnerability | CVE-2025- 62199 | Microsoft Office (Word/Excel/Office Suite) | Critical | 9.8 |
| Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability | CVE-2025-30398 | Nuance PowerScribe 360 | Critical | 9.1 |
| Windows DirectX Graphics Kernel Use-After-Free Vulnerability | CVE-2025-60716 | Windows DirectX Graphics Kernel | Critical | 8.8 |
| Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability | CVE-2025-60724 | Microsoft Graphics Component (GDI+) | Critical | 8.7 |
| Visual Studio Command Injection Remote Code Execution Vulnerability | CVE-2025-62214 | Microsoft Visual Studio / Visual Studio Code | Critical | 8.1 |
Technical Summary
The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.
Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62215 | Windows Kernel | Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) | Elevation of Privilege |
| CVE-2025-62199 | Microsoft Office | Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns | Remote Code Execution |
| CVE-2025-30398 | Nuance PowerScribe 360 | Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network | Information Disclosure |
| CVE-2025-60716 | Windows DirectX Graphics Kernel | Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system | Elevation of Privilege |
| CVE-2025-60724 | Microsoft GDI+ | Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files | Remote Code Execution |
| CVE-2025-62214 | Visual Studio | Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments | Remote Code Execution |
Source: Microsoft
In addition to several other Important severity vulnerabilities were addressed below –
- CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation.
- CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation.
- CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access.
- CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution.
- CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE.
- CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE.
- CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability.
- CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs.
- CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing.
- CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities.
Source: Microsoft, bleepingcompute, cybersecuritynews
Key Affected Products and Services
The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
- Windows Core Components
Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems.
- Microsoft Office Suite
Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities.
- Azure & Cloud Services
Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors.
- Graphics Components
Patches for GDI+, DirectX, WSL GUI.
- Developer Tools
Updates for Visual Studio, Visual Studio Code, and GitHub Copilot.
- Third-Party Applications
Patches for Nuance PowerScribe (Medical domain).
- Mobile Platform Technologies
Updates for Microsoft OneDrive for Android.
Remediation:
- Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems.
Here are some recommendations below
- Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes.
- Ensure Windows 10 ESU enrollment for extended support systems.
- Restrict local admin privileges and enforce least-privilege access.
- Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity.
- Segment critical systems and disable unused network services (RRAS, SMB).
Conclusion:
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio.
Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world.
References:
Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0
Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.
| OEM | Amazon |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12779 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.
Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.
The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Authentication Token Handling in Amazon WorkSpaces Client | CVE-2025-12779 | Amazon WorkSpaces client for Linux | High | 2025.0 |
Technical Summary
The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.
The update improves session isolation and secures token handling, protecting against lateral token theft.
Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12779 | Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) | Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. | Unauthorized access to another user’s workspace |
Recommendations
- Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later.
Conclusion:
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.
Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions.
References:
Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities
Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.
| OEM | Apple |
| Severity | High |
| CVEs | CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes.
| Vulnerability Name | CVE ID | Product Affected | Fixed Version |
| WebKit Use-After-Free (Safari Crash/RCE) | CVE-2025-43438 | iOS, iPadOS | iOS/iPadOS 26.1 |
| WebKit Buffer Overflow (RCE Risk) | CVE-2025-43429 | iOS, iPadOS | iOS/iPadOS 26.1 |
| App Installed Detection via Accessibility | CVE-2025-43442 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Sensitive Screenshot in Embedded Views | CVE-2025-43455 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Kernel Memory Corruption / DoS | CVE-2025-43398 | iOS, iPadOS | iOS/iPadOS 26.1 |
Technical Summary:
The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-43438 | WebKit | Use-after-free in Safari triggers crash or code execution via malicious web content | Remote Code Execution, System Compromise |
| CVE-2025-43429 | WebKit | Buffer overflow in content processing allows arbitrary code execution | Remote Code Execution, Service Compromise |
| CVE-2025-43442 | Accessibility | Permissions flaw allows apps to detect installed apps (fingerprinting) | Privacy Violation, User Tracking |
| CVE-2025-43455 | Apple Account | Malicious apps can screenshot sensitive embedded UI (login views) | Credential, PII Exposure |
| CVE-2025-43398 | Kernel | Memory mishandling leads to system termination or kernel corruption | Denial of Service, Potential Privilege Escalation |
Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table
| Vulnerability Name | CVE ID | Affected Component |
| Sandbox Escape via Assets | CVE-2025-43407 | Assets |
| Sandbox Escape via CloudKit Symlink | CVE-2025-43448 | CloudKit |
| Stolen Device Protection Bypass | CVE-2025-43422 | Stolen Device Protection |
| Cross-Origin Data Exfiltration | CVE-2025-43480 | WebKit |
| Keystroke Monitoring via WebKit | CVE-2025-43495 | WebKit |
| Apple Neural Engine Kernel Corruption | CVE-2025-43447, CVE-2025-43462 | Apple Neural Engine |
| Canvas Cross-Origin Image Theft | CVE-2025-43392 | WebKit Canvas |
| Contacts Data Leak in Logs | CVE-2025-43426 | Contacts |
| Lock Screen Content Leak | CVE-2025-43350 | Control Center |
| Address Bar Spoofing | CVE-2025-43493 | Safari |
| UI Spoofing in Safari | CVE-2025-43503 | Safari |
Recommendations:
Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website.
Patches are available and should be applied immediately.
For environments where immediate patching is not immediately feasible, you can also follow the recommendations below.
- Enable Stolen Device Protection and Lockdown Mode (where applicable)
- Restrict app installations to trusted sources.
- Avoid visiting untrusted websites from browser
- Use VPN and enable Advanced Data Protection for iCloud
- Monitor for anomalous app behavior or battery drain
Conclusion:
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.
Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems.
References:
High-severity path traversal vulnerability was identified in Docker Compose
Docker Compose Path Traversal Vulnerability Enables Arbitrary File Write and System Compromise
Summary:
| OEM | Docker |
| Severity | High |
| CVSS Score | 8.9 |
| CVEs | CVE-2025-62725 |
| Date of Announcement | 2025-10-28 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.
This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.
This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Path Traversal in OCI Artifacts Allowing Arbitrary File Write | CVE-2025-62725 | Docker Compose CLI | High | 8.9 |
Technical Summary
Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.
The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.
Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62725 | Docker Compose (Linux, Windows, macOS) | Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory. | Arbitrary file write, potential system compromise, privilege escalation. |
Remediation
Apply security patches immediately to mitigate risks from privilege escalation and container escape.
- Update Docker-compose to v2.40.2 or the latest one.
Conclusion
Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.
Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat.
References
TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation
Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library.
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-62518 |
| POC Available | Yes, public PoC and patches available (edera-dev GitHub) |
| Actively Exploited | Not confirmed widespread exploitation public PoC raises opportunistic risks |
| Exploited in Wild | No confirmed mass exploitation at time of writing |
| Advisory Version | 1.0 |
Overview
Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Tar path traversal / symlink bypass (async-tar RCE vector) | CVE-2025-62518 | GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools | High | Patches released by maintainers; reference fixes in Edera patch repository and vendor advisories |
Technical Summary
Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.
A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).
Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62518 | Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. | Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). | Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. |
Remediation:
- Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable).
- Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems.
- Use least privilege for extraction processes — avoid root / Administrator contexts.
- Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses.
- Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement).
- Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries.
Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits.
SIEM / EDR indicators:
- File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes.
- Creation of symlinks or reparse-points by tar-related processes.
- Processes invoking tar or Python extraction libraries writing outside expected extraction directories.
Conclusion:
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.
This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise.
References:
Elastic Releases Critical Security Updates for Kibana & Elasticsearch
Security Advisory:
Elastic has released security updates for Kibana and Elasticsearch.
Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues
This also include one sensitive data exposure flaw, and one credential leakage issue
| OEM | Elastic |
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stored XSS Vulnerability via Case File Upload Vulnerability | CVE-2025-25009 | Kibana | High | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Kibana Cross Site Scripting (XSS) Vulnerability | CVE-2025-25017 | Kibana | High | |
| Kibana Stored Cross Site Scripting (XSS) Vulnerability | CVE-2025-25018 | Kibana | High |
Technical Summary
Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.
This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability .
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25009 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS via malicious file uploads in case management, allowing JavaScript injection | Data Theft, Session Hijacking, Privilege Escalation |
| CVE-2025-25017 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) | XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution | Malicious Script Execution |
| CVE-2025-25018 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS in Kibana due to improper validation of specified type of input. | Session Compromise, Unauthorized Access |
Other Vulnerabilities
In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Sensitive Data Exposure in Audit Logging | CVE-2025- 37727 | Elasticsearch | Medium | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Credential Leakage in CrowdStrike Connector | CVE-2025- 37728 | Kibana (CrowdStrike Connector) | Medium | v8.18.8 and higher |
Recommendations:
Update Kibana and Elasticsearch immediately to the following versions
- Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version.
If unable to update immediately you can follow some workarounds below
- For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+.
- For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana.
- For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”.
Conclusion:
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.
Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments.
References: