Elastic disclosed a critical vulnerability (CVE-2025-37735) in **Elastic Defend for Windows**, stemming from improper file permission preservation in its SYSTEM-privileged service. The flaw allows local attackers—even with low privileges—to delete arbitrary files, potentially escalating to full administrative control over compromised systems. Affected versions include **8.19.5 and earlier**, as well as **9.0.0 through 9.1.5**, with patched releases (8.19.6, 9.1.6, 9.2.0) now available. While exploitation requires local access and moderate complexity (CVSS 7.0: High), the risk is amplified in shared or multi-user environments where insiders or compromised accounts could abuse the vulnerability. Organizations relying on Elastic Defend for endpoint security face heightened exposure, as successful exploitation undermines system integrity, enables lateral movement, and could facilitate follow-on attacks like data theft or ransomware deployment. Mitigations include immediate patching or upgrading to **Windows 11 24H2**, which introduces architectural safeguards. Delayed remediation risks persistent privilege escalation threats, particularly in environments with untrusted local users or legacy Windows versions.
Source: https://gbhackers.com/elastic-defend-for-windows-vulnerability/
Elastic cybersecurity rating report: https://www.rankiteo.com/company/elastic
"id": "ela0132601111025",
"linkid": "elastic",
"type": "Vulnerability",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Elastic '
'Defend for Windows (versions '
'8.19.5 and earlier; '
'9.0.0–9.1.5)',
'industry': 'Cybersecurity / Software',
'name': 'Elastic (vendor)',
'type': 'Organization'},
{'industry': 'Multiple (any sector using Elastic Defend '
'on Windows)',
'location': 'Global',
'name': 'Organizations using vulnerable Elastic Defend '
'versions',
'type': 'Customer Base'}],
'attack_vector': 'Local access with low privileges; improper file permission '
'preservation in Elastic Defend service (SYSTEM-level)',
'customer_advisories': 'Customers notified via standard channels (email, '
'in-product alerts, etc.) to apply patches urgently.',
'description': 'Elastic has released a security advisory addressing a '
'significant vulnerability in Elastic Defend (CVE-2025-37735) '
'that could allow attackers to escalate their privileges on '
'Windows systems. The flaw stems from improper preservation of '
'file permissions in the Defend service, enabling local '
'attackers to delete arbitrary files and potentially gain '
'administrative control. Affected versions include 8.19.5 and '
'earlier, as well as 9.0.0 through 9.1.5. Patched versions '
'(8.19.6, 9.1.6, 9.2.0) are available, and organizations are '
'urged to prioritize remediation.',
'impact': {'brand_reputation_impact': 'Moderate (public disclosure of '
'high-severity vulnerability in '
'security product)',
'operational_impact': 'High (potential for full administrative '
'control by low-privilege attackers; '
'critical infrastructure risk)',
'systems_affected': [{'os': 'Windows (all versions, with '
'mitigation in Windows 11 24H2)',
'software': 'Elastic Defend (versions 8.19.5 '
'and earlier; 9.0.0–9.1.5)'}]},
'investigation_status': 'Resolved (patch available; advisory published)',
'lessons_learned': ['Critical importance of patching security products '
"promptly, even for 'local access' vulnerabilities",
'Need for defense-in-depth against privilege escalation '
'paths in endpoint protection tools',
'Value of OS-level mitigations (e.g., Windows 11 24H2 '
'architectural changes) as interim protections'],
'post_incident_analysis': {'corrective_actions': ['Implemented proper '
'permission preservation in '
'patched versions (8.19.6, '
'9.1.6, 9.2.0)',
'Enhanced testing for '
'privilege escalation '
'vectors in file-handling '
'routines',
'Added OS compatibility '
'checks for Windows 11 24H2 '
'mitigations'],
'root_causes': ['Improper preservation of file '
'permissions in Elastic Defend '
'service (SYSTEM-level process)',
'Insufficient validation of file '
'operations by low-privilege users',
'Lack of fail-safe mechanisms for '
'permission inheritance during '
'file handling']},
'recommendations': ['Upgrade Elastic Defend to patched versions (8.19.6, '
'9.1.6, or 9.2.0) immediately',
'Conduct emergency inventory of all Elastic Defend '
'deployments to identify vulnerable systems',
'Prioritize patching for systems with high-value data or '
'critical roles',
'Consider upgrading to Windows 11 24H2 as an interim '
'mitigation for systems that cannot be patched '
'immediately',
'Review and harden least-privilege access controls for '
'all local users',
'Monitor for suspicious file deletion activity or '
'privilege escalation attempts'],
'references': [{'source': 'Elastic Security Advisory'},
{'source': 'CVE-2025-37735 Details'}],
'response': {'communication_strategy': ['Public security advisory by Elastic',
'Urgent notification to customers via '
'standard channels'],
'containment_measures': ['Immediate upgrade to patched versions '
'(8.19.6, 9.1.6, 9.2.0)',
'Interim mitigation: Upgrade to Windows '
'11 24H2 (reduces exploitability)'],
'remediation_measures': ['Patch deployment across all affected '
'systems',
'Inventory of Elastic Defend '
'deployments to identify vulnerable '
'versions',
'Prioritization of critical '
'infrastructure updates']},
'stakeholder_advisories': 'Elastic has issued a public security advisory with '
'technical details and remediation guidance.',
'title': 'Elastic Defend Privilege Escalation Vulnerability (CVE-2025-37735)',
'type': 'Vulnerability / Privilege Escalation',
'vulnerability_exploited': 'CVE-2025-37735 (Improper Preservation of '
'Permissions)'}