CVE-2025-25010
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-10-01
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | From 9.0.0 (inc) to 9.0.6 (exc) |
| elastic | kibana | From 9.1.0 (inc) to 9.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-25010 is a privilege escalation vulnerability in Kibana versions 9.0.0 through 9.0.5 and 9.1.0 through 9.1.2. It involves the built-in reporting_user role, which incorrectly grants users read access to all Kibana Spaces, allowing them to generate reports and access assets like Discover, Dashboards, Visualization Library, and Canvas across all Spaces. Previously, this role only allowed reporting within Spaces the user was authorized to access. The vulnerability does not grant access to additional user documents or indices beyond existing index privileges. [1]
How can this vulnerability impact me? :
This vulnerability can allow users assigned the reporting_user role to escalate their privileges by accessing and generating reports across all Kibana Spaces, even those they should not have access to. This could lead to unauthorized disclosure of sensitive information contained in dashboards and visualizations. Although it does not allow access to additional index data beyond existing permissions, the exposure of reporting data across all Spaces can pose a significant risk. API keys created by affected users also retain these elevated privileges, increasing the risk if not invalidated. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if any users or API keys have the built-in reporting_user role assigned in Kibana versions 9.0.0 through 9.0.5 and 9.1.0 through 9.1.2. Since the vulnerability involves privilege escalation via this role, auditing role assignments is key. Use Kibana's API or management UI to list users and their roles. For example, use the Kibana API to list users and their roles: `GET /api/security/user` and check for the reporting_user role assignments. Also, review API keys created by users with the reporting_user role, as these retain elevated privileges and should be invalidated. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Kibana to version 9.0.6 or 9.1.3 or later, where the vulnerability is fixed. If upgrading is not possible immediately, revoke the reporting_user role from all end users and API keys, as it is not assigned by default and only assigned in some deployments. Instead, create custom roles that grant appropriate reporting access without the privilege escalation risk. Additionally, invalidate any API keys created by users with the reporting_user role in affected versions to remove elevated privileges. [1]