Elastic has issued an urgent security update for Elastic Cloud Enterprise (ECE) to remediate a critical template engine injection vulnerability that could allow authenticated administrators to execute arbitrary commands and exfiltrate sensitive data.
Tracked as CVE-2025-37729 and carrying a CVSSv3.1 score of 9.1 (Critical), the flaw affects ECE versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1.
Elastic strongly urges customers to upgrade to versions 3.8.2 or 4.0.2 immediately, as no mitigations or configuration workarounds exist.
Vulnerability Details and Impact
The root cause of CVE-2025-37729 lies in the improper neutralization of special elements within the Jinjava template engine.
When an authenticated ECE admin submits a deployment plan containing crafted Jinjava variables, the platform evaluates and executes those payloads.
If the Logging+Metrics feature is enabled, the output of injected commands is captured in logs, effectively creating a feedback channel for attackers to both run commands and retrieve results.
Because the flaw allows complete control over the template interpretation process, successful exploitation leads to full compromise of confidentiality, integrity, and availability.
An attacker must meet two prerequisites: valid admin console access and deployment plans with Logging+Metrics enabled.
While requiring high-level privileges narrows the attacker profile, the network-reachable nature of the ECE control plane, combined with this template injection, elevates the threat significantly.
Once inside, adversaries can pivot across multiple clusters, issue system-level commands, and harvest data across the organization’s Elasticsearch infrastructure.
Elastic’s security bulletin recommends that administrators monitor request logs for suspicious payload names indicative of Jinjava abuse.
Queries such as:
text(payload.name : int3rpr3t3r or payload.name : forPath)
can help identify attempts to inject code. Teams should also review historical Logging+Metrics pipelines for unusual plan submissions or unexpected task outputs.
Restricting and auditing admin access, enforcing strong authentication, and isolating high-risk deployments can further reduce exposure.
In environments where immediate upgrades are operationally challenging, temporarily disabling the Logging+Metrics feature on sensitive clusters can limit attackers’ ability to exfiltrate command output.
However, this is only a stopgap measure; patching remains the only definitive resolution.
Elastic Cloud Enterprise users must upgrade to ECE 3.8.2 or 4.0.2 without delay to remediate CVE-2025-37729.
The update addresses the template engine injection flaw by enhancing input validation and sanitization within the Jinjava evaluation context.
No alternative patches or vendor-issued workarounds exist, making prompt version upgrades imperative.
Administrators are advised to:
- Validate that all ECE clusters are running patched versions.
- Restrict admin console access using robust authentication and role-based controls.
- Conduct log reviews and deploy detection rules for malicious Jinjava payload signatures.
- Temporarily disable Logging+Metrics on high-value deployments if immediate patching is not feasible.
By adhering to these steps and applying the security update, organizations can eliminate the risk posed by CVE-2025-37729 and safeguard their Elastic Cloud Enterprise environments from remote code execution attacks.
Elastic Cloud Enterprise Vulnerability CVE Table
| Field | Details |
|---|---|
| CVE ID | CVE-2025-37729 |
| Severity | CVSSv3.1 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Affected Products | Elastic Cloud Enterprise (ECE) |
| Affected Versions | 2.5.0–3.8.1; 4.0.0–4.0.1 |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Elastic strongly urges customers to upgrade to versions 3.8.2 or 4.0.2 immediately, as no mitigations or configuration workarounds exist.){kind=link}