CVE-2025-62371 identifies an improper certificate validation vulnerability (CWE-295) in the OpenSearch Data Prepper project, specifically in the OpenSearch sink and source plugins prior to version 2.12.2. Data Prepper is an open-source data collector used to aggregate observability data such as logs and metrics. The vulnerability arises because, when no certificate path is provided in the plugin configuration, the system defaults to a 'trust all' SSL strategy, effectively disabling SSL certificate validation. This behavior allows an attacker positioned on the network path to perform man-in-the-middle (MITM) attacks by intercepting and potentially modifying data transmitted between Data Prepper and OpenSearch clusters. The vulnerability affects confidentiality and integrity of the data in transit but does not impact availability. Exploitation does not require authentication or user interaction but has a high attack complexity due to the need for network positioning. The issue was patched in version 2.12.2 by enforcing proper certificate validation or requiring explicit configuration of the CA certificate path. Until patched, users can mitigate risk by specifying the cert parameter with the path to the cluster’s CA certificate in their Data Prepper configuration. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 score is 7.4 (high), reflecting the network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of observability data collected and transmitted to OpenSearch clusters. Observability data often includes logs, metrics, and traces critical for monitoring, troubleshooting, and security analytics. An attacker exploiting this vulnerability could intercept sensitive operational data, manipulate logs to hide malicious activity, or inject false data to mislead monitoring systems. This could impair incident detection and response capabilities, potentially leading to prolonged undetected breaches or operational disruptions. Organizations in sectors such as finance, energy, telecommunications, and government, which rely heavily on observability platforms for security and compliance, are particularly vulnerable. The vulnerability does not directly affect availability, but the indirect effects on security monitoring could have severe operational consequences. Given the network-based attack vector, organizations with exposed or poorly segmented network environments are at higher risk. The lack of required authentication lowers the barrier for exploitation if network access is gained. The vulnerability’s impact is amplified in environments where Data Prepper is deployed without explicit SSL certificate configuration, a common misconfiguration in complex observability setups.

European organizations should immediately upgrade OpenSearch Data Prepper to version 2.12.2 or later to apply the official patch that enforces proper SSL certificate validation. Until upgrade is possible, a critical mitigation is to explicitly configure the cert parameter in the OpenSearch sink and source plugin settings with the path to the trusted CA certificate of the OpenSearch cluster. This ensures SSL certificate validation is performed and prevents the default 'trust all' behavior. Network segmentation should be enforced to limit access to OpenSearch clusters and Data Prepper instances, reducing the risk of MITM attacks. Organizations should also audit existing Data Prepper configurations to detect any instances where the cert parameter is missing or SSL validation is disabled. Monitoring network traffic for suspicious MITM activity and validating the integrity of observability data can help detect exploitation attempts. Additionally, implementing mutual TLS authentication between Data Prepper and OpenSearch clusters can further strengthen security. Security teams should review and update incident response plans to consider potential data manipulation scenarios arising from this vulnerability. Finally, educating DevOps and security teams about secure configuration practices for observability tools is essential to prevent similar issues.