High-Severity Elastic Defend Flaw (CVE-2025-37735) Allows Local Attackers to Delete Arbitrary Files as SYSTEM

Elastic has released security updates to address a serious flaw in Elastic Defend, its endpoint protection component within the Elastic Security suite. Tracked as CVE-2025-37735, the vulnerability is classified as “Improper Preservation of Permissions” and carries a CVSS score of 7.0, indicating high severity.

According to the advisory, “Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.”

This means that a local attacker with limited access could potentially leverage the vulnerability to delete critical system files, escalating privileges to SYSTEM, the highest level of access in Windows.

Elastic confirmed that the issue affects multiple branches of its product line, including both 8.x and 9.x releases.

In affected environments, Elastic Defend’s high-privilege service could be manipulated to remove files that regular users cannot modify. This makes it a potent local privilege escalation (LPE) vector, particularly dangerous in environments where attackers have already gained a foothold through another exploit or social engineering technique.

Elastic recommends all users to upgrade immediately to the patched releases (8.19.6, 9.1.6, or 9.2.0).

For customers who cannot immediately deploy the updated versions, Elastic has suggested a temporary mitigation.

“Windows 11 24H2 includes changes which make this issue harder to exploit. Users who are unable to upgrade Defend can should consider upgrading to Windows 11 24H2 or later.”

While not a complete fix, running Elastic Defend on Windows 11 24H2 significantly reduces the exploitability of this vulnerability by tightening user-mode access restrictions.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply