Elastic has disclosed a significant security vulnerability in Elastic Defend for Windows that could allow attackers to escalate their privileges on affected systems.
Tracked as CVE-2025-37735 and designated as ESA-2025-23, the flaw stems from improper permission preservation within the Defend service running with SYSTEM-level privileges.
The vulnerability exists in how Elastic Defend handles file permissions on Windows hosts.
Elastic Defend for Windows Vulnerability
Because the Defend service runs with SYSTEM privileges, the highest permission level in Windows, an attacker with local access could exploit this flaw to delete arbitrary files on the system.
In specific scenarios, this capability could be weaponized to achieve local privilege escalation, granting unauthorized users administrative access to the compromised machine.
This type of vulnerability is hazardous because it bridges the gap between lower-privilege user accounts and complete system control.
The vulnerability impacts Elastic Defend across multiple versions. Versions up to and including 8.19.5. Versions 9.0.0 through 9.1.5.
Making an attractive target for threat actors seeking to deepen their foothold on compromised networks. The vulnerability carries a CVSS v3.1 score of 7.0, classified as High severity.
| Attributes | Details |
| CVE ID | CVE-2025-37735 |
| Vulnerability Type | Improper Preservation of Permissions |
| Affected Product | Elastic Defend for Windows |
| Affected Versions | 8.19.5 and earlier; 9.0.0 through 9.1.5 |
| Fixed Versions | 8.19.6, 9.1.6, 9.2.0 |
| CVSS v3.1 Score | 7.0 (High) |
The attack vector requires local access and higher privileges than a typical user account, but notably does not require user interaction.
Organizations running these versions should treat this disclosure as urgent and prioritize remediation immediately.
Elastic recommends users upgrade to patched versions as the primary mitigation strategy.
The fixed versions are 8.19.6, 9.1.6, or 9.2.0. These updates directly address the permission preservation issue and eliminate the exploitation pathway.
For organizations unable to upgrade immediately, Windows11 24H2 includes architectural changes that make exploitation significantly more difficult.
Administrators without the ability to patch Elastic Defend quickly should consider upgrading to Windows 11 24H2 or later as an interim protective measure.
Organizations should prioritize upgrading Elastic Defend installations to eliminate this vulnerability.
Those operating older Windows versions without immediate upgrade paths should implement this as a secondary mitigation while planning their upgrade schedule.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
