Elastic Security has issued a critical update addressing a high-severity vulnerability in its Elastic Defend endpoint protection software for Windows, which could enable attackers to delete arbitrary system files and potentially escalate privileges to the highest level.
Tracked as CVE-2025-37735 under Elastic Security Advisory (ESA-2025-23), the flaw stems from improper preservation of permissions in the Defend service, which runs with SYSTEM privileges.
This issue affects organizations relying on Elastic’s endpoint detection and response (EDR) capabilities, exposing them to local attacks that could disrupt operations or pave the way for broader compromises.
Vulnerability Breakdown
The core problem lies in how Elastic Defend handles file permissions on Windows hosts. Normally, the Defend service monitors and blocks malicious activities with elevated privileges to safeguard the system.
However, due to a flaw in permission enforcement, a low-privileged local user could trick the service into deleting files it shouldn’t touch, including critical system components.
While the advisory doesn’t detail the exact exploitation path, security researchers note that this could manifest as a local privilege escalation (LPE) vector, where an initial foothold gained via phishing or another exploit allows an attacker to manipulate file operations for deeper access.
Affected versions span the 8.x and 9.x branches: all releases up to and including 8.19.5, plus 9.0.0 through 9.1.5.
The vulnerability carries a CVSS v3.1 base score of 7.0 (High), reflecting its low attack complexity for local users (AV:L/AC:H/PR:L) while enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Although not classified as remote, its potential in multi-user environments or post-breach scenarios makes it a notable threat for enterprise deployments.
Real-World Implications
In practice, this flaw could wreak havoc in corporate settings where Elastic Defend is deployed across endpoints. An attacker with limited user rights might delete registry keys, configuration files, or even security tools, causing instability or evasion of detection.
For instance, in a ransomware campaign, exploiting this could disable the EDR agent itself, allowing malware to spread unchecked.
While no widespread exploitation has been reported as of November 10, 2025, the four-day-old advisory underscores the urgency, especially since Elastic Defend integrates with the broader Elastic Stack for threat hunting and SIEM.
This isn’t the first time Elastic products have faced permission-related issues; past advisories, like ESA-2024-24 for version 8.13.3, highlight ongoing efforts to harden endpoint agents against LPE tactics.
Mitigation and Recommendations
Elastic urges immediate upgrades to patched versions: 8.19.6, 9.1.6, or 9.2.0, available via the standard update channels.
These releases fix the permission handling without disrupting existing configurations.
For users unable to patch promptly, Elastic suggests upgrading to Windows 11 24H2 or later, as Microsoft’s recent changes to user-mode restrictions make exploitation more difficult though this isn’t a full substitute for the agent update.
Organizations should audit their Elastic Defend deployments, prioritize patching high-value endpoints, and monitor for suspicious file deletions via event logs.
Integrating with tools like Microsoft Defender could provide layered defenses, but compatibility testing is advised.
As endpoint security evolves, flaws like CVE-2025-37735 remind us that even trusted EDR solutions require vigilant maintenance to counter sophisticated local threats.
In summary, while the vulnerability’s local scope limits its blast radius, its high impact on Windows environments demands swift action.
Elastic’s transparent disclosure enables proactive remediation, reinforcing the importance of timely updates in cybersecurity postures.
