Executive Summary

A medium-severity information disclosure vulnerability, CVE-2025-12149, has been discovered in floragunn's Search Guard FLX, a popular security plugin for Elasticsearch. The flaw allows for the bypass of Document-Level Security (DLS), a critical feature for data segregation in multi-tenant environments. An attacker with low privileges can exploit this bug by using the Signals alerting feature to run a search, which fails to properly enforce the DLS rules. This could lead to the exposure of sensitive data to unauthorized users. The vulnerability affects all versions up to and including 3.1.2.

Vulnerability Details

• CVE-2025-12149 - Search Guard FLX DLS Bypass Vulnerability
  • CVSS Score: 6.0 (Medium)
  • Description: The vulnerability exists in the interaction between the Signals alerting component and the Document-Level Security (DLS) engine. When a search query is initiated via a Signals watch, the DLS filtering logic is not correctly applied.
  • Attack Vector: A remote attacker with low-level privileges, specifically the ability to create or trigger a Signals watch, can craft a search query that will be executed without the user's DLS restrictions.
  • Impact: This allows the attacker to view all documents within the targeted indices, completely bypassing the intended data segregation and exposing sensitive information.

Affected Systems

• Product: floragunn Search Guard FLX
• Affected Versions: All versions up to and including 3.1.2

Exploitation Status

As of the disclosure on November 14, 2025, there is no public exploit code available, and no known active exploitation. However, the logic is straightforward, and motivated attackers could develop an exploit.

Impact Assessment

The primary purpose of Document-Level Security is to enforce data boundaries in shared Elasticsearch clusters, ensuring that users can only see the data they are authorized to access. This vulnerability completely undermines that control. In a multi-tenant environment where different customers' data resides in the same index, one malicious or compromised low-privilege user could potentially access another customer's sensitive data. This could lead to significant data breaches, regulatory fines (e.g., under GDPR or HIPAA), and loss of customer trust.

Cyber Observables for Detection

• log_source: Elasticsearch and Search Guard audit logs.
• configuration: Review Signals watch configurations for queries that target a broad range of indices, especially if the user who created the watch has restricted permissions.

Detection Methods

• Audit Log Review: This is the most effective detection method. Enable and regularly review Search Guard's audit logs. Look for search queries initiated by Signals watches that return documents the triggering user should not have access to. Correlate the user's permissions with the data returned in the search results. This is a form of D3FEND's Resource Access Pattern Analysis (D3-RAPA).
• Permissions Auditing: Regularly audit the permissions of users who are allowed to create and manage Signals watches. While this won't detect exploitation, it can help limit the attack surface.

Remediation Steps

• Update Search Guard: Administrators of affected systems should upgrade to a patched version of Search Guard FLX as soon as it becomes available from floragunn. This is the only way to fully remediate the vulnerability and is an application of D3FEND's Software Update (D3-SU).
• Restrict Permissions (Workaround): As a temporary workaround, you can limit the ability to create and trigger Signals watches to only highly trusted administrative users. This can be achieved by creating a specific role for Signals management and assigning it cautiously. This is an application of D3FEND's User Account Permissions (D3-UAP).
• Review Watch Configurations: Manually review existing Signals watches to ensure they are not configured in a way that could be abused to query overly broad sets of indices.