Critical Vulnerability in Elastic Defend for Windows Enables Privilege Escalation
Elastic has recently disclosed a significant security vulnerability in its Elastic Defend for Windows product, identified as CVE-2025-37735. This flaw arises from improper permission handling within the Defend service, which operates with SYSTEM-level privileges—the highest in Windows environments. Consequently, attackers with local access could exploit this vulnerability to delete arbitrary files, potentially leading to privilege escalation and granting unauthorized administrative access.
Understanding the Vulnerability
The core issue lies in how Elastic Defend manages file permissions on Windows systems. Since the Defend service runs with SYSTEM privileges, any mismanagement in permission settings can be exploited by attackers to perform unauthorized actions. In this case, an attacker with local access could delete critical system files, disrupting operations and potentially escalating their privileges to gain full control over the affected system.
Affected Versions and Severity
The vulnerability impacts Elastic Defend versions up to and including 8.19.5, as well as versions 9.0.0 through 9.1.5. Given the potential for privilege escalation and system compromise, this flaw has been assigned a CVSS v3.1 score of 7.0, categorizing it as a high-severity issue.
Mitigation and Recommendations
To address this vulnerability, Elastic has released patched versions: 8.19.6, 9.1.6, and 9.2.0. Users are strongly advised to upgrade to these versions promptly to mitigate the risk. For organizations unable to upgrade immediately, deploying Windows 11 24H2 or later can serve as an interim protective measure, as these versions include architectural changes that make exploitation more challenging.
Broader Implications
This disclosure underscores the critical importance of proper permission management in security software. When security tools themselves contain vulnerabilities, they can inadvertently become vectors for attacks, emphasizing the need for rigorous security practices and prompt patch management.
Conclusion
Organizations utilizing Elastic Defend for Windows should prioritize upgrading to the patched versions to eliminate this vulnerability. Additionally, implementing the latest Windows updates can provide an extra layer of defense against potential exploitation. Staying vigilant and proactive in applying security updates is essential to maintaining a robust defense against evolving cyber threats.
