Elastic has released a security advisory addressing a critical vulnerability in Elastic Defend that could allow attackers to escalate their privileges on Windows systems.
The vulnerability, tracked as CVE-2025-37735, stems from improper preservation of file permissions in the Defend service and poses a serious risk to organizations relying on this endpoint protection platform.
Vulnerability Details
The flaw exists in how Elastic Defend handles file permissions on Windows hosts.
When the Defend service runs with SYSTEM-level privileges, it fails to preserve original permission settings properly.
This improper permission handling creates an attack vector allowing local attackers to delete arbitrary files on the compromised system.
In specific scenarios, this capability to delete critical system files could lead to local privilege escalation.
An attacker with limited user access could gain complete administrative control over the affected machine, transforming a file-handling issue into a full-blown privilege escalation vulnerability.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-37735 |
| Vulnerability Type | Improper Preservation of Permissions |
| Affected Product | Elastic Defend for Windows |
| Affected Versions | 8.19.5 and earlier; 9.0.0 through 9.1.5 |
| Fixed Versions | 8.19.6, 9.1.6, 9.2.0 |
| CVSS v3.1 Score | 7.0 (High) |
| CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Elastic assigned the vulnerability a CVSS v3.1 score of 7.0 (High). The attack requires local access and moderate complexity but demands only low privileges to execute, making it a realistic threat in many environments.
Any local user on affected systems poses a potential exploitation risk.
Organizations should immediately upgrade to patched versions: 8.19.6, 9.1.6, or 9.2.0. These updates implement proper permission preservation mechanisms, eliminating the attack vector.
For organizations unable to upgrade immediately, Windows 11 version 24H2 includes architectural changes that make this vulnerability significantly more complicated to exploit.
This serves as an interim security measure while planning Elastic Defend upgrades.
Security teams should prioritize patching this vulnerability across their infrastructure.
Given the high severity rating and realistic exploitation scenario, this should be treated as critical infrastructure maintenance rather than routine patching.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=The vulnerability, tracked as CVE-2025-37735, stems from improper preservation of file permissions in the Defend service){kind=link}