Elastic has disclosed a significant security vulnerability in Elastic Defend for Windows that could allow attackers to escalate their privileges on affected systems.
Tracked as CVE-2025-37735 and designated as ESA-2025-23, the flaw stems from improper permission preservation within the Defend service running with SYSTEM-level privileges.
The vulnerability exists in how Elastic Defend handles file permissions on Windows hosts.
Because the Defend service runs with SYSTEM privileges, the highest permission level in Windows, an attacker with local access could exploit this flaw to delete arbitrary files on the system.
In specific scenarios, this capability could be weaponized to achieve local privilege escalation, granting unauthorized users administrative access to the compromised machine.
This type of vulnerability is hazardous because it bridges the gap between lower-privilege user accounts and complete system control.
The vulnerability impacts Elastic Defend across multiple versions. Versions up to and including 8.19.5. Versions 9.0.0 through 9.1.5.
Making an attractive target for threat actors seeking to deepen their foothold on compromised networks. The vulnerability carries a CVSS v3.1 score of 7.0, classified as High severity.
| Attributes | Details |
| CVE ID | CVE-2025-37735 |
| Vulnerability Type | Improper Preservation of Permissions |
| Affected Product | Elastic Defend for Windows |
| Affected Versions | 8.19.5 and earlier; 9.0.0 through 9.1.5 |
| Fixed Versions | 8.19.6, 9.1.6, 9.2.0 |
| CVSS v3.1 Score | 7.0 (High) |
The attack vector requires local access and higher privileges than a typical user account, but notably does not require user interaction.
Organizations running these versions should treat this disclosure as urgent and prioritize remediation immediately.
Elastic recommends users upgrade to patched versions as the primary mitigation strategy.
The fixed versions are 8.19.6, 9.1.6, or 9.2.0. These updates directly address the permission preservation issue and eliminate the exploitation pathway.
For organizations unable to upgrade immediately, Windows11 24H2 includes architectural changes that make exploitation significantly more difficult.
Administrators without the ability to patch Elastic Defend quickly should consider upgrading to Windows 11 24H2 or later as an interim protective measure.
Organizations should prioritize upgrading Elastic Defend installations to eliminate this vulnerability.
Those operating older Windows versions without immediate upgrade paths should implement this as a secondary mitigation while planning their upgrade schedule.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…
OpenAI has launched GPT-5.1-Codex-Max, a specialized coding model designed to handle complex development tasks autonomously. The…