Query Details
Detect CVE 2025 27607 CVSS 88
Query
// CVE-2025-27607 (CVSS 8.8) // The ‘python-json-logger’ package has over 43 million downloads per month, making this vulnerability a significant threat to a large number of users. // https://securityonline.info/popular-python-logging-library-vulnerable-to-remote-code-execution-cve-2025-27607/#google_vignette DeviceProcessEvents | where TimeGenerated > ago(90d) | where InitiatingProcessCommandLine has "install python-json-logger" | summarize arg_max(TimeGenerated, *) by DeviceName
Explanation
This KQL (Kusto Query Language) query is designed to identify devices that have installed the 'python-json-logger' package, which is known to have a significant security vulnerability (CVE-2025-27607) with a high severity score (CVSS 8.8). Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
DeviceProcessEventstable, which contains records of processes executed on devices. -
Time Filter: It filters the data to include only events from the last 90 days.
-
Command Filter: It further filters the events to find those where the command line includes the phrase "install python-json-logger," indicating an installation of the vulnerable package.
-
Summarization: For each device, it finds the most recent event (using
arg_max(TimeGenerated, *)) where the package was installed. This helps in identifying the latest installation activity per device. -
Output: The result is a list of devices (
DeviceName) that have installed the 'python-json-logger' package in the last 90 days, along with details of the most recent installation event.
This query is useful for security teams to quickly identify and assess the risk posed by this vulnerability across their network.
Details
Steven Lim
Released: March 9, 2025
Tables
Keywords
Operators