Elastic Stack Security Announcements

Elasticsearch yawkat LZ4 Java – CVE-2025-66566 (ESA-2026-07) An Information Disclosure vulnerability (CVE-2025-66566) exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport layer. Affected Versions: 7.x: All versions from 7.14.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: Users should upgrade to version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: Self-hosted For users who cannot upgrade immediately, the following workarounds can be applied to elasticsearch.yml. Note that these changes require a node restart to take effect. Switch to Deflate: The LZ4 Java decompressor can be bypassed by switching the transport compression scheme to deflate: transport.compression_scheme: deflate Disable Compression: Compression can be disabled entirely, though this will result in increased network bandwidth usage: transport.compress: false Cross-Cluster Settings: If utilizing cross-cluster search or replication, apply the mitigation to remote connections: cluster.remote.<cluster_alias>.transport.compression_scheme: deflate Cloud For users on Elastic Cloud who cannot upgrade immediately: Configuration: The transport.compression_scheme setting can be configured by users in the Cloud Console for versions 7.17.0 and later. Users can switch the scheme to deflate or disable compression via the user settings block. Remote Clusters: While users cannot configure cluster.remote.<cluster_alias>.transport.compression_scheme directly in the Cloud UI, remote cluster connections will automatically inherit the global transport.compression_scheme setting. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High (8.4) – CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2025-66566 1 post – 1 participant Read full topic

External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector (ESA-2026-05) External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. Affected Versions: 8.x: All versions from 8.15.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: Users should upgrade to version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: Customers who cannot upgrade, can disable the connector type via setting the appropriate value to xpack.actions.enabledActionTypes in Kibana configuration. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: High (8.6) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2026-0532 Problem Type: CWE-918 – Server-Side Request Forgery (SSRF), CWE-73 – External Control of File Name or Path Impact: CAPEC-664 – Server-Side Request Forgery (SSRF), CAPEC-76 – Manipulating Web Input to File System Calls 1 post – 1 participant Read full topic

Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation (ESA-2026-08) Improper Input Validation (CWE-20) in Kibana’s Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0543 Problem Type: CWE-20 – Improper Input Validation Impact: CAPEC-664 – Excessive Allocation 1 post – 1 participant Read full topic

Allocation of Resources Without Limits or Throttling in Kibana Fleet (ESA-2026-04) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. Affected Versions: 7.x: All versions from 7.10.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: There are no workarounds Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0531 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation (ESA-2026-03) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. Affected Versions: 7.x: All versions from 7.10.0 up to and including 7.17.29 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0530 Problem Type: CWE-770 – Allocation of Resources Without Limits or Throttling Impact: CAPEC-130 – Excessive Allocation 1 post – 1 participant Read full topic

Improper Validation of Array Index in Packetbeat Leading to Overflow Buffers (ESA-2026-02) Improper Validation of Array Index (CWE-129) in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. For Users that Cannot Upgrade: There are no workarounds Acknowledgements: We would like to thank AISLE Research for responsibly disclosing this vulnerability to Elastic Severity: CVSSv3.1: Medium (6.5) – AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0529 Problem Type: CWE-129 – Improper Validation of Array Index Impact: CAPEC-100 – Overflow Buffers 1 post – 1 participant Read full topic

Improper Input Validation in Metricbeat Leading to Denial of Service (ESA-2026-01) Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service via Input Data Manipulation (CAPEC-153) using specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service via Input Data Manipulation (CAPEC-153) using specially crafted, malformed metric data. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.9 9.x: All versions from 9.0.0 up to and including 9.1.9 All versions from 9.2.0 up to and including 9.2.3 Solutions and Mitigations: The issue is resolved in version 8.19.10, 9.1.10, 9.2.4. Severity: CVSSv3.1: Medium (6.5) – CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2026-0528 Problem Type: Improper Validation of Array Index – CWE-20 Impact: Overflow Buffers – CAPEC-100 1 post – 1 participant Read full topic

Kibana Improper Authorization (ESA-2025-39) Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the ‘live queries – read’ permission to successfully retrieve the list of live queries. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.6 9.x: All versions from 9.0.0 up to and including 9.1.6 Version 9.2.0 Solutions and Mitigations: The issue is resolved in version 8.19.7, 9.1.7, and 9.2.1. Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE ID: CVE-2025-68422 1 post – 1 participant Read full topic

Kibana Improper Authorization (ESA-2025-38) Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document’s sharing type to “global,” even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.7 9.x: All versions from 9.0.0 up to and including 9.1.7 All versions from 9.2.0 up to and including 9.2.1 Solutions and Mitigations: The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2. Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2025-68386 1 post – 1 participant Read full topic

Elasticsearch Allocation of Resources Without Limits or Throttling (ESA-2025-37) Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.7 9.x: All versions from 9.0.0 up to and including 9.1.7 All versions from 9.2.0 up to and including 9.2.1 Affected Configurations: The attacker must have the permissions to perform a snapshot restore. Solutions and Mitigations: The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2. Severity: CVSSv3.1: 4.9 (Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68390 1 post – 1 participant Read full topic

Kibana Allocation of Resources Without Limits or Throttling (ESA-2025-36) Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68389 1 post – 1 participant Read full topic

Kibana Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (ESA-2025-35) Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. For Users that Cannot Upgrade: Self-hosted For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana. Cloud For Elastic Cloud services deployments, you can set vis_type_vega.enabled: false in kibana user settings. Note that this will disable all Vega charts in Kibana. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless before the public disclosure. Severity: CVSSv3.1: 6.1 (Medium) – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2025-68387 1 post – 1 participant Read full topic

Kibana Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (ESA-2025-34) Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. For Users that Cannot Upgrade: Self-hosted For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana. Cloud For Elastic Cloud services deployments, you can set vis_type_vega.enabled: false in kibana user settings. Note that this will disable all Vega charts in Kibana. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless before the public disclosure. Severity: CVSSv3.1: 7.2 (High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVE ID: CVE-2025-68385 1 post – 1 participant Read full topic

Elasticsearch Allocation of Resources Without Limits or Throttling (ESA-2025-33) Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68384 1 post – 1 participant Read full topic

Filebeat Improper Validation of Specified Index, Position, or Offset in Input (ESA-2025-32) Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68383 1 post – 1 participant Read full topic

Packetbeat Out-of-bounds Read (ESA-2025-31) Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC messages. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68382 1 post – 1 participant Read full topic

Packetbeat Improper Bounds Check (ESA-2025-30) Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid fragment sequence number. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Affected Configurations: Users using memcached collection Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3. For Users that Cannot Upgrade: Users can disable memcached collection in the Network Packet Capture integration if they are using Elastic Agent and would like other network collections to continue. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2025-68381 1 post – 1 participant Read full topic

Packetbeat Allocation of Resources Without Limits or Throttling (ESA-2025-29) Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat. Affected Versions: 8.x: All versions from 8.6.0 up to and including 8.19.8 9.x: All versions from 9.0.0 up to and including 9.1.8 All versions from 9.2.0 up to and including 9.2.2 Solutions and Mitigations: The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3 Severity: CVSSv3.1: 5.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2025-68388 Changelog: 2025-12-19: As this does not cause a denial-of-service but rather a degradation, it has been downgraded to a medium severity issue 1 post – 1 participant Read full topic

Kibana Cross-site Scripting via the Integration Package Upload Functionality (ESA-2025-28) Improper neutralization of input during web page generation (‘Cross-site Scripting’) (CWE-79) allows an authenticated user to render an HTML page within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection. Affected Versions: 7.x: All versions 8.x: All versions from 8.0.0 up to and including 8.19.7 9.x: All versions from 9.0.0 up to and including 9.1.7 All versions from 9.2.0 up to and including 9.2.1 Affected Configurations: A malicious user would need to have a role that includes All permissions under Management for Fleet and Integrations. Solutions and Mitigations: The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2. For Users that Cannot Upgrade: There are no workarounds Severity: CVSSv3.1: 5.4 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2025-37732 1 post – 1 participant Read full topic

Elasticsearch Improper Authentication (ESA-2025-27) Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. Affected Versions: 7.x All versions 8.x: All versions from 8.0.0 up to and including 8.19.7 9.x All versions from 9.0.0 up to and including 9.1.7 All versions from 9.2.0 up to and including 9.2.1 Affected Configurations: This issue only affects the PKI realm of Elasticsearch. Solutions and Mitigations: Medium or High Severity with few customers impacted: The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2. For Users that Cannot Upgrade: There are no workarounds Severity: CVSSv3.1: 6.8 (Medium) – AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE ID: CVE-2025-37731 1 post – 1 participant Read full topic

Kibana Origin Validation Error (ESA-2025-24) Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Affected Versions: 8.12.0 up to and including 8.19.6 9.1.0 up to and including 9.1.6 9.2.0 Affected Configurations: Deployments using the Observability AI Assistant. Solutions and Mitigations: Users should upgrade to version 8.19.7, 9.1.7, and 9.2.1. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure. Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2025-37734 1 post – 1 participant Read full topic

Kibana Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (ESA-2025-25) Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in Kibana can lead to DOM-based XSS due to the use of Vega. The issue on Vega is tracked as CVE-2025-59840 Affected Versions: All kibana versions before and including 8.19.6 All kibana versions from 9.0.0 up to and including 9.1.6 Kibana version 9.2.0 Affected Configurations: All Kibana instances where Vega Visualizations are enabled ( default behavior ). Solutions and Mitigations: Users should upgrade to version 8.19.7, 9.1.7, 9.2.1. For Users that Cannot Upgrade: Self-hosted For on premise installations, you can set vis_type_vega.enabled: false in kibana.yml file. Note that this will disable all Vega charts in Kibana. Cloud For Elastic Cloud services deployments, you can set vis_type_vega.enabled: false in kibana user settings. Note that this will disable all Vega charts in Kibana. Elastic Cloud Serverless Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless before the public disclosure. Severity: CVSSv3.1: 8.7 (High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N CVE ID: CVE-2025-59840 1 post – 1 participant Read full topic

Elastic Defend Improper Preservation of Permissions (ESA-2025-23) Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation. Affected Versions: Versions up to and including 8.19.5, and versions from 9.0.0 up to and including 9.1.5. Affected Configurations: This affects Windows Systems only. This includes Windows Server. Solutions and Mitigations: Users should upgrade to version 8.19.6, 9.1.6, or 9.2.0. For Users that Cannot Upgrade: Windows 11 24H2 includes changes which make this issue harder to exploit. Users who are unable to upgrade Defend can should consider upgrading to Windows 11 24H2 or later. Severity: CVSSv3.1: 7.0 (High) – CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2025-37735 ______________________________________________________________ Changelog: 2025-11-17: Added Section “Affected Configurations” highlighting that this can affect Windows Server 1 post – 1 participant Read full topic

Elastic Cloud Enterprise Improper Authorization (ESA-2025-22) Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name} Affected Versions: Elastic Cloud Enterprise versions after 3.8.0 and up to including 3.8.2 Elastic Cloud Enterprise versions after 4.0.0 and up to including 4.0.2 Affected Configurations: This issue affects all ECE users. Solutions and Mitigations: Users should upgrade to version 3.8.3 and 4.0.3. In addition to the upgrade, Elastic Cloud Enterprise users should investigate whether there exist any users or service accounts that have been created by the readonly user and potentially delete them. The following tooling offers this functionality. Elastic advises extreme caution while deleting users, to ensure that only the necessary ones are deleted. For Users that Cannot Upgrade: Users that cannot upgrade, should also use the provided tooling to list users or service accounts that have been created by the readonly user and potentially delete them. Severity: CVSSv3.1: 8.8(High) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H} CVE ID: CVE-2025-37736 1 post – 1 participant Read full topic

Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine (ESA-2025-21) Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated. Affected Versions: Versions starting from 2.5.0 up to and including 3.8.1, and versions starting from 4.0.0 up to and including 4.0.1. Affected Configurations: This issue can only be exploited by users with access to the Elastic Cloud Enterprise (ECE) admin-console and access to a deployment with the Logging+Metrics feature enabled. By submitting plans with specially crafted payloads it is possible to inject code to be executed and the result to be read back via the ingested logs. Solutions and Mitigations: Users should upgrade to version 3.8.2 and 4.0.2. For Users that Cannot Upgrade: There are no workarounds Indicators of Compromise (IOC) Users can monitor the request logs for malicious payloads, by using the search query: (payload.name : int3rpr3t3r or payload.name : forPath) Severity: CVSSv3.1: 9.1 (Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2025-37729 1 post – 1 participant Read full topic