CVE-2025-12149 is a vulnerability identified in floragunn's Search Guard FLX, a security plugin for Elasticsearch that provides fine-grained access control including Document-Level Security (DLS). In versions 3.1.2 and earlier, while DLS is generally enforced correctly, a logic flaw exists when searches are initiated from a Signals watch—a feature used for alerting and monitoring. In this context, the DLS rules are not applied, allowing users with limited privileges to retrieve all documents from the queried indices, bypassing intended access restrictions. This results in unauthorized exposure of sensitive data, classified under CWE-200 (Exposure of Sensitive Information) and CWE-863 (Incorrect Authorization). The vulnerability requires an attacker to have low privileges and network access but does not require user interaction, making it remotely exploitable. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and high confidentiality impact (VC:H). No integrity or availability impacts are noted. No patches or exploits are currently publicly available, but the issue is officially published and assigned a CVE ID. The flaw highlights a critical gap in the enforcement of security policies within the Signals watch functionality, potentially exposing sensitive enterprise data to unauthorized actors.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored in Elasticsearch clusters protected by Search Guard FLX. Industries such as finance, healthcare, government, and critical infrastructure that rely on Elasticsearch for log management, monitoring, and alerting could face unauthorized data disclosure. The exposure of sensitive documents could lead to regulatory non-compliance under GDPR, reputational damage, and potential financial losses. Since the vulnerability allows privilege escalation from low-level users to access all documents, insider threats or compromised low-privilege accounts become more dangerous. The absence of integrity or availability impact limits the scope to data confidentiality, but the breach of sensitive information alone can have severe consequences. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are widely known.

European organizations should prioritize upgrading Search Guard FLX to a version where this vulnerability is fixed once available from floragunn. Until a patch is released, organizations should restrict access to the Signals watch feature to only highly trusted users and minimize the number of users with privileges to trigger searches via Signals watch. Implement network segmentation and strict access controls to limit exposure of Elasticsearch clusters. Audit and monitor usage of Signals watch and related alerting features for unusual or unauthorized queries. Consider disabling Signals watch functionality if it is not essential. Additionally, review and tighten role-based access control (RBAC) policies to ensure least privilege principles are enforced. Regularly review logs for signs of privilege misuse or data access anomalies. Engage with floragunn support for any available workarounds or interim fixes. Finally, incorporate this vulnerability into incident response and risk management processes to ensure timely detection and remediation.