Elastic Patches High-Severity Privilege Escalation Flaw in Elastic Cloud Enterprise (CVE-2025-37736)

Elastic has issued a security advisory addressing a high-severity vulnerability (CVE-2025-37736, CVSS 8.8) in Elastic Cloud Enterprise (ECE) that could allow a readonly user to perform unauthorized operations and escalate privileges within managed Elastic environments.

According to the advisory, “Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed.”

The flaw affects Elastic Cloud Enterprise (ECE) versions:

• After 3.8.0 and up to and including 3.8.2
• After 4.0.0 and up to and including 4.0.2

Elastic confirmed that “this issue affects all ECE users”, making it a broad exposure across on-premises and hybrid deployments of Elastic Cloud.

The issue stems from improper access control on several critical API endpoints related to user and service account management. The readonly user—intended only for viewing configuration data—can invoke multiple restricted API calls, effectively gaining administrative capabilities.

Elastic’s advisory lists the vulnerable APIs, which include those that manage user creation, authentication keys, and service accounts.

Among the affected endpoints are:

post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name}

These operations would normally require administrative privileges, but due to the improper authorization logic, they could be accessed by the readonly role.

This means an attacker who gains access to the readonly account—or any API key tied to it—could potentially create, modify, or delete user accounts, inject new API keys, or escalate privileges to gain full administrative access to an ECE environment.

Elastic has released patched versions 3.8.3 and 4.0.3, which include fixes for this improper authorization issue.

The advisory added that “in addition to the upgrade, Elastic Cloud Enterprise users should investigate whether there exist any users or service accounts that have been created by the readonly user and potentially delete them.”

Elastic cautioned administrators to use extreme care when performing cleanup operations. For organizations that cannot immediately upgrade, Elastic has released an open-source cleanup utility to help identify and remove unauthorized accounts. The tool is available on GitHub.

Administrators are urged to run this tool to list users or service accounts created by the readonly user and verify the legitimacy of those entities.

Related Posts:

• Critical Elastic Cloud Flaw: CVE-2025-37729 (CVSS 9.1) Allows RCE via Jinjava Template Injection
• MediaTek July 2025 Security Bulletin: Heap Overflows, WLAN Flaws, and Bluetooth Risks Threaten Billions of Devices
• Critical EoP Flaw in Microsoft’s Remote Registry: Researcher Publishes PoC for CVE-2024-43532
• Researcher Releases PoC Exploit for Windows Kernel EoP Vulnerability (CVE-2024-26218)
• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched