CVE-2025-37728 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) found in Elastic Kibana's Crowdstrike connector component. The flaw allows an attacker with limited privileges (PR:L) and requiring user interaction (UI:R) to access cached Crowdstrike credentials belonging to other spaces within the same Kibana instance. Specifically, a malicious user who can create and run a Crowdstrike connector in a space they have access to can retrieve credentials cached from other spaces, breaching the intended isolation between spaces. This vulnerability affects multiple Kibana versions, including 7.0.0, 8.14.0, 8.19.0, 9.0.0, and 9.1.0. The CVSS v3.1 score is 5.4 (medium), reflecting network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), user interaction required (UI:R), and a scope change (S:C) with limited confidentiality and integrity impacts (C:L, I:L), and no availability impact (A:N). The vulnerability arises from insufficient credential protection mechanisms in the Crowdstrike connector, leading to potential credential leakage across spaces, which could enable further lateral movement or escalation if exploited. No public exploits have been reported yet, but the vulnerability's presence in widely used Kibana versions and the sensitivity of Crowdstrike credentials make it a significant concern.

For European organizations, this vulnerability poses a risk to the confidentiality of Crowdstrike credentials used within Elastic Kibana environments. Exposure of these credentials could allow attackers to impersonate legitimate Crowdstrike integrations, potentially leading to unauthorized access to endpoint detection and response data or manipulation of security telemetry. This could undermine incident detection and response capabilities, increasing the risk of undetected breaches. Organizations with multi-tenant Kibana deployments or those using spaces to segregate teams or departments are particularly vulnerable, as the flaw allows cross-space credential leakage. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, common across Europe. While no availability or integrity impacts are directly associated, the compromise of credentials can lead to broader security incidents. The medium severity rating indicates a moderate risk but should not be underestimated given the strategic importance of Crowdstrike credentials in security operations.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict access controls to Kibana spaces, ensuring that only trusted users can create or run Crowdstrike connectors. 2) Implement strict role-based access control (RBAC) policies to minimize privilege levels, especially limiting the ability to create connectors across spaces. 3) Monitor and audit Crowdstrike connector usage and access logs to detect unusual activity or unauthorized attempts to create connectors. 4) Segregate sensitive environments and consider isolating Crowdstrike connectors to dedicated spaces with minimal user access. 5) Apply any patches or updates released by Elastic promptly once available, as the current information indicates no patch links yet. 6) Educate administrators and users about the risks of credential leakage and enforce strong credential management practices, including regular rotation of Crowdstrike credentials. 7) Consider additional network segmentation and monitoring around Kibana instances to detect lateral movement attempts leveraging leaked credentials.