A critical security issue in the Kibana CrowdStrike Connector has been discovered that allows attackers to access stored CrowdStrike credentials across different spaces within the same deployment.
Tracked as CVE-2025-37728, the flaw stems from insufficient protection of credentials cached when the connector is created in one workspace.
Elastic has released patches and urges all users to upgrade immediately to prevent unauthorized disclosure of sensitive API keys.
Vulnerability Details
The vulnerability arises because the CrowdStrike Connector stores API credentials in a shared cache that is accessible to any authenticated user across spaces.
When a connector is instantiated in one space, the credentials used to query the CrowdStrike API are written to a cache with inadequate isolation controls.
A malicious user with access to any other space in the same Kibana instance can exploit this weakness to retrieve the cached credentials belonging to a different space.
Although no direct data modification or deletion is possible through this flaw, leaked credentials can enable attackers to query CrowdStrike APIs, gather sensitive threat intelligence, and potentially manipulate incident response workflows.
Affected Versions and Impact
The issue impacts multiple versions of Kibana that include the CrowdStrike Connector before the patched releases.
Both unsupported and supported releases in the 7.x, 8.x, and early 9.x series are vulnerable.
The flaw is classified as Medium severity, earning a CVSS 3.1 score of 5.4, indicating that successful exploitation requires limited privileges and some user interaction, but can lead to partial confidentiality loss.
| CVE ID | Affected Versions | Impact | CVSS 3.1 Score |
|---|---|---|---|
| CVE-2025-37728 | 7.x: ≤ 7.17.29 8.x: 8.14.0 to 8.18.7 8.19.x: 8.19.0 to 8.19.4 9.0.x: 9.0.0 to 9.0.7 9.1.x: 9.1.0 to 9.1.4 | Partial credential leak | 5.4 |
Elastic has addressed this vulnerability in the following patched releases: 8.18.8, 8.19.5, 9.0.8, and 9.1.5. No workaround or temporary mitigation exists, making timely upgrades the only effective measure.
Administrators should:
- Verify their current Kibana version and schedule an immediate upgrade to one of the fixed releases.
- After upgrading, review all CrowdStrike Connector configurations to ensure they operate correctly.
- Rotate any CrowdStrike API keys that may have been exposed before the patch deployment.
- Engage with security teams to confirm connector health and review access controls across spaces.
- Monitor Elastic’s security announcements channel for additional guidance or future updates.
By following these steps, organizations can restore proper isolation of API credentials and prevent attackers from exploiting the cache mechanism.
Ensuring credential confidentiality and maintaining secure connectors are essential to preserving the integrity of threat intelligence workflows in Kibana.
Continuous vigilance and prompt patch management remain the best defenses against such vulnerabilities.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=A critical security issue in the Kibana CrowdStrike Connector has been discovered that allows attackers to access stored CrowdStrike credentials){kind=link}