RCE

Security Advisory

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary 

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview 

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Spoofing Vulnerability  CVE-2025-30401  WhatsApp Desktop for Windows  Medium  2.2450.6 

Technical Summary 

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables. 

Example Scenario: 

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code. 

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-30401   WhatsApp Desktop for Windows (<2.2450.6)  MIME type used for display, but file extension used for execution.

A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). 		 Remote Arbitrary code execution 

Remediation

  • Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version. 

Conclusion: 

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise. 

Be careful when you click attachments.

References: 

Security Advisory

WordPress Ultimate CSV Importer Flaws Put 20,000+ Sites at Risk

Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.

The vulnerabilities have been addressed in version 7.19.1 of the plugin.

Summary 

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-2008, CVE- 2025-2007 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Arbitrary File Upload  CVE-2025-2008 WordPress  High  8.8 
Arbitrary File Deletion  CVE-2025-2007 WordPress  High  8.1 

Technical Summary 

A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways: 

  1. Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information. 
  1. Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2008  WP Ultimate CSV Importer plugin (versions ≤ 7.19) A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation.
This can lead to remote code execution (RCE) and full site takeover. 		  Remote code execution (RCE) 
 CVE-2025-2007 WP Ultimate CSV Importer plugin (versions ≤ 7.19) A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation.
This can reset the site, letting attackers take control. 		 Arbitrary file deletion leading to site reset 

Remediation

Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks. 

General Recommendations 

  • Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe. 
  • Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities. 
  • Use Security Plugins – Install tools to block threats, monitor activity, and protect your site. 
  • Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted. 

Conclusion: 

A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.

Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected. 

References

Security Advisory

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Summary 

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200. 
No. of Vulnerabilities Patched 03 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebKit Out-of-Bounds Write Vulnerability  CVE-2025-24201 iOS, macOS, visionOS, Safari  High  8.8 
Use-After-Free Vulnerability  CVE-2025-24085 iOS, iPasOS, macOS, watchOS, tvOS  High  7.8 
Incorrect Authorization Vulnerability  CVE-2025-24200  iOS, iPadOS  Medium  6.1 

Technical Summary 

Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24201  iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3  Out-of-bounds write issue allowing malicious websites to escape the Web Content sandbox   Remote Code Execution 
 CVE-2025-24085 iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.  Privilege escalation via CoreMedia 
 CVE-2025-24200  iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.) Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.  Security Bypass USB Restricted Mode 

Remediation

Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks 

  • iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later. 
  • Macs: Install macOS Sequoia 15.3 or later. 
  • Apple Watch: Upgrade to watchOS 11.3. 
  • Apple TV: Apply tvOS 18.3 updates. 
  • Vision Pro: Install visionOS 2.3 updates. 

General Recommendations: 

  • Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.  
  • Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.  
  • Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors. 
  • Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content. 
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity. 

Conclusion: 

The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.

While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable. 

Apple fixed all the vulnerability with improved state management.

References


 

Security Advisory

Critical Chrome Vulnerability (CVE-2025-2783) Exploited in Cyber-Espionage Campaign

OEMGoogle Chrome
SeverityHigh
CVSS8.3
CVEsCVE-2025-2783
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding the critical zero-day vulnerability, CVE-2025-2783, in Google Chrome and other Chromium-based browsers on Windows. This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, urged immediate patching to prevent security breaches and unauthorized system access.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
  Google Chromium Mojo Sandbox Escape Vulnerability  CVE-2025-2783  Google Chrome  High  134.0.6998.117/.118

Technical Summary

This high-severity vulnerability found in the Mojo framework of Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera, Brave etc. The vulnerability originates from a logic error that results in an incorrect handle being provided under certain conditions. This flaw allows attackers to bypass Chrome’s sandbox protections and potentially execute arbitrary code on the affected system.

Security researchers from Kaspersky discovered this zero-day vulnerability as part of an advanced cyber-espionage campaign dubbed “Operation ForumTroll.” The attack campaign targeted media outlets, educational institutions, and government organizations in Russia through highly personalized phishing emails.

The exploit chain is particularly dangerous because it requires minimal user interaction. Victims only need to click on a malicious link in a phishing email, after which the attack executes automatically without any additional action from the user. Once triggered, the exploit allows attackers to escape Chrome’s sandbox environment, leading to remote code execution and possible system compromise.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-2783    Google Chrome (Windows)    Incorrect handle provided in Mojo, allowing sandbox escape  Remote code execution, System Compromise

Remediation:

  • Google Chrome Patch Released: Google has released security updates in Chrome versions 134.0.6998.177/.178 to address this vulnerability. Users should update immediately.

General Recommendations:

  • Enable Automatic Updates: Ensure automatic updates are enabled in Google Chrome and other Chromium-based browsers to receive future security patches promptly.
  • Phishing Awareness Training: Organizations should educate employees on identifying and avoiding phishing emails to prevent exploitation.
  • Endpoint Security Measures: Deploy endpoint detection and response (EDR) solutions to monitor and mitigate potential threats.
  • CISA Compliance for Federal Agencies: Federal agencies must adhere to CISA’s Binding Operational Directive (BOD) 22-01 to address known exploited vulnerabilities promptly.

Conclusion:

The exploitation of CVE-2025-2783 demonstrates the ongoing threat posed by sophisticated cyber-espionage activities.  Google has responded swiftly with a patch, and users are strongly advised to update their browsers immediately. Organizations should remain vigilant against phishing attempts and enhance their cybersecurity posture to mitigate similar threats in the future.

References:

Security Advisory

Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to Compromise 

Security Advisory

Summary:

The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.

Maintainer Kubernetes ingress community 
Severity Critical 
CVSS Score 9.8 
No. of Vulnerabilities Patched 05 
Actively Exploited No 
Exploited in Wild No 
Patch Available Yes 
Advisory Version 1.0 

Overview 

Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.

The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication. 

Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.

The issue was publicly disclosed on March 24, 2025, and security patches have been released. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Admission Controller Remote Code Execution (RCE) Vulnerability  CVE-2025-1974      Ingress NGINX Admission Controller   Critical 9.8 
Configuration Injection via Unsanitized auth-tls-match-cn annotation  CVE-2025-1097 High 8.8 
Configuration Injection via Unsanitized Mirror Annotations  CVE-2025-1098 High 8.8 
Unsanitized auth-URL Injection Vulnerability  CVE-2025-24514 High 8.8 
Auth Secret File Path Traversal Vulnerability  CVE-2025-24513 Medium 4.8 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-1974         Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster.   Full Kubernetes cluster compromise 
  CVE-2025-1097 Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations.  Remote code execution 
  CVE-2025-1098 Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation.  Config injection, security bypass 
  CVE-2025-24514 Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior.  Remote code execution 
  CVE-2025-24513 A path traversal issue in handling auth secret files could let attackers access sensitive information.   Information disclosure 

Remediation

  • Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities. 
  • Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller. 

General Recommendations: 

  • Set strict RBAC rules to control who can change ingress and webhook settings. 
  • Disable dynamic admission controllers if they aren’t needed. 
  • Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations. 
  • Conduct security reviews and scans for clusters that have not recently been updated. 
  • Regularly check ingredients for weak or unsafe configurations. 

Conclusion: 

The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.

The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments. 

Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk. 

References

Security Advisory

Update Google Chrome to Fix Critical Remote Code Execution Vulnerability in Lens 

OEM Google Chrome 
Severity High 
CVSS 8.8 
CVEs CVE-2025-2476 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

Google Chrome’s Lens component has been found to have a critical use-after-free vulnerability (CVE-2025-2476) that impacts Linux, Mac, and Windows. 

This vulnerability might compromise user systems by enabling remote attackers to run arbitrary code.  To lessen the danger, Google has issued security patches. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Use after free Vulnerability  CVE-2025-2476  Google Chrome  High  134.0.6998.117/.118 

Technical Summary 

The vulnerability exists due to a use-after-free (UAF) condition in Chrome’s Lens component. This occurs when a program continues to use memory after it has been freed, potentially leading to arbitrary code execution or system compromise. Attackers can exploit this flaw using specially crafted HTML pages that trigger heap corruption. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2476   Windows, Mac, Linux   Use-after-free vulnerability in Chrome’s Lens component, leading to heap corruption and potential arbitrary code execution.  Remote code execution 

Remediation

  1. Open Google Chrome. 
  1. Click the three-dot menu in the upper-right corner. 
  1. Navigate to Help > About Google Chrome. 
  1. Allow Chrome to automatically check for and install the latest update. 
  1. Restart the browser to complete the update process. 
  • The update will roll out over the coming days and weeks, However, due to the critical nature of this security issue, users should not rely on automatic updates and should manually confirm they are running the latest version. 

Google has restricted detailed vulnerability information until a majority of users have applied the fix to prevent potential exploitation. 

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user.

Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts.

Threat Intelligence :

There are currently no reports of the vulnerability being exploited in the wild.

Conclusion: 

The possibility of remote code execution makes CVE-2025-2476 a serious security risk. It is highly recommended that users upgrade their Chrome browsers ASAP.

This vulnerability emphasizes how crucial it is to keep up with security patches on time and to be vigilant about new online threats. 

References: 

Image 

Security Advisory

Zero-Day Threats Addressed in Microsoft’s March 2025 Patch Tuesday

Patch Tuesday

Continue Reading
Security Advisory

High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043) 

Security Advisory

A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.

The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.

Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.

Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.

OEM Microsoft 
Severity HIGH 
CVSS 7.5  
CVEs CVE-2025-24043 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2025-24043  Microsoft Windows   High 

Technical Summary 

The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.

This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24043  WinDbg and associated .NET diagnostic packages   Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded.  Arbitrary code execution  

Remediation

  • Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions. 
  •  Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available. 
  • Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages. 
  • Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe. 
  • Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components. 

The table below outlines the affected and patched versions of the relevant packages: 

Package Name Affected Version Patched Version 
dotnet-sos < 9.0.607501 9.0.607501 
dotnet-dump < 9.0.557512 9.0.607501 
dotnet-debugger-extensions 9.0.557512 9.0.607601 

Conclusion: 

CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments. 

The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.

Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.

References: 

  • https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/ 

Security Advisory

Critical Security Flaw in Kibana Requires Immediate Attention 

Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards. 

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

OEM Elastic 
Severity Critical 
CVSS 9.9 
CVEs CVE-2025-25012 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately. 

Vulnerability Name CVE ID Product Affected Severity 
 Arbitrary code execution Vulnerability  CVE-2025-25012  Elastic  Critical 

Technical Summary 

This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.

Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter). 

Affected Versions and Exploitation Conditions: 

  • Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role. 
  • Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25012   Kibana 8.15.0 – 8.17.2   Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls.  Remote Code Execution, Unauthorized Data Access, Lateral Movement  

Remediation

  • Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version 
  • Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk: 
  • Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml. 

Conclusion: 

Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.

The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future. 

References: 

Image 

Security Advisory

Critical WordPress Security Flaw in Everest Forms Plugin 

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

Continue Reading
Scroll to top