CVE-2025-37729NVD

Vulnerability Summary

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

Severity Level

CRITICAL(9.1)

Published Date

Oct 13, 2025

Last Modified

Oct 13, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-1336: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredHigh

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-3-8-2-and-4-0-2-security-update-esa-2025-21/382641

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-37729NVD

Vulnerability Summary

External References