A newly discovered zero-day vulnerability in Elastic’s Endpoint Detection and Response (EDR) solution allows attackers to bypass security measures, execute malicious code, and trigger a BSOD system crash, according to the Ashes Cybersecurity research.
The vulnerability resides in a core component of the security software, effectively turning the defensive tool into a weapon against the systems it is meant to protect.
The critical flaw was found in the “elastic-endpoint-driver.sys,” a kernel driver signed by Microsoft and developed by Elasticsearch, Inc. This driver is a fundamental part of the Elastic Defend and Elastic Agent security solutions.
The researcher who discovered the vulnerability has detailed a four-step attack chain that exploits this flaw to achieve a complete system compromise.
The attack begins with an EDR Bypass, where an attacker can use a custom loader to circumvent Elastic’s security protections. Once the EDR is blinded, the attacker can proceed to Remote Code Execution (RCE), running malicious code on the system without being detected or blocked.
The third step involves establishing Persistence by planting a custom kernel driver that can interact with the vulnerable Elastic driver. Finally, the attacker can trigger a Privileged Persistent Denial of Service, causing the system to crash repeatedly and rendering it unusable.
Elastic EDR 0-Day Vulnerability
At the heart of the vulnerability is a CWE-476: NULL Pointer Dereference. According to the Ashes Cybersecurity research, the “elastic-endpoint-driver.sys” driver improperly handles memory operations within its privileged kernel routines.
Under certain conditions, a pointer controllable from user-mode is passed into a kernel function without proper validation. If this pointer is null, has been freed, or is corrupted, the kernel attempts to dereference it, leading to a system-wide crash, commonly known as the Blue Screen of Death (BSOD).
The researcher demonstrated that this vulnerability is not just a theoretical bug but a reliable and reproducible exploit. A custom-built Proof of Concept, consisting of a C-based loader and a custom driver, was used to trigger the flaw under controlled conditions.
This proof-of-concept first bypasses the EDR, loads the custom driver, establishes persistence so the driver reloads on reboot, and then interacts with the vulnerable Elastic driver to cause the BSOD.
This effectively proves that the Elastic driver itself can be manipulated to exhibit malware-like behavior.
The implications of this zero-day are severe for enterprises relying on Elastic’s security products. Every organization using Elastic’s SIEM and EDR solutions could potentially be harboring a vulnerability that can be remotely exploited to disable their endpoints at scale.
This situation creates a significant risk, as a trusted, signed kernel driver can be turned into a persistent, privileged weapon.
The discovery timeline for this vulnerability began on June 2nd, 2025. Disclosure attempts were made through HackerOne on June 11th and the Zero Day Initiative (ZDI) on July 29th. Following these attempts, an independent disclosure was made on August 16th, 2025.
The affected product is elastic-endpoint-driver.sys in version 8.17.6, though all subsequent versions are believed to be vulnerable, as no patch has been released.
The researcher noted that the vulnerability was discovered during user-mode testing operations and that their organization, Ashes Cybersecurity Pvt Ltd., is a paying customer of Elastic. “A defender that crashes, blinds or disables its own system on command is indistinguishable from malware,” the researcher stated, highlighting the erosion of trust this causes not only in Elastic but in the broader security industry. Until a patch is issued, customers remain exposed to this active zero-day threat.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
