Elastic has released a critical security update for Elastic Cloud Enterprise (ECE) addressing a template engine injection flaw that could allow attackers with admin privileges to execute arbitrary commands and exfiltrate sensitive data.
Tracked as CVE-2025-37729 and rated CVSS 9.1 (Critical), the issue affects ECE versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1.
Users are urged to upgrade immediately to ECE 3.8.2 or 4.0.2, as no workarounds are available.
The vulnerability stems from improper neutralization of special elements in a template engine context, specifically where Jinjava variables are evaluated.
| Field | Details |
| CVE ID | CVE-2025-37729 |
| Severity | CVSSv3.1 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Affected Products | Elastic Cloud Enterprise (ECE) |
| Affected Versions | 2.5.0–3.8.1; 4.0.0–4.0.1 |
An authenticated ECE admin can craft payloads in submitted deployment plans that get evaluated, enabling code execution.
The output can be read back via ingested logs when the Logging+Metrics feature is enabled, which turns the platform into a feedback channel for the attacker’s commands and exfiltrated data.
Exploitation requires two conditions: access to the ECE admin console and access to a deployment with Logging+Metrics enabled.
While the privilege requirement is high, the impact is severe due to the scope change and high confidentiality, integrity, and availability impact noted in the CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
This means a network-reachable attacker with admin rights does not need user interaction to pivot, issue commands, and potentially impact multiple components through the control plane.
Elastic advises customers to upgrade to the fixed releases without delay. There are no mitigations or configuration-based workarounds for vulnerable versions.
For detection, Elastic recommends monitoring request logs for malicious payload names using the query: (payload.name : int3rpr3t3r or payload.name : forPath).
These strings can indicate attempts to abuse the Jinjava evaluation path for code injection and command execution.
Administrators should also review past logs for suspicious plan submissions and unexpected task outputs in Logging+Metrics pipelines.
Organizations operating ECE should prioritize patching, validate that admin access is restricted and audited, and temporarily disable Logging+Metrics on high-risk deployments if immediate upgrades are not possible operationally.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
