Beats (Windows Installer) 8.18.6, 8.19.3, 9.0.6, & 9.1.0 Security Update (ESA-2025-12)

Bryan_Garcia · July 29, 2025, 11:32pm

Beats Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer (ESA-2025-12)

An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges.

Affected Versions:

Beats up to and including 8.18.5, from version 8.19.0 up to and including 8.19.2, from version 9.0.0 up to and including 9.0.5.

Affected Configurations:

The issue only affects Beats when installed through the install-service script for Windows. Example when installing Filebeat using .\install-service-filebeat.ps1.

Note: Elastic Agent is NOT affected because the Beats are installed in a different path C:\Program Files\Elastic\Agent

Solutions and Mitigations:

The issue is resolved in version 9.1.0.

A maintenance release will be made available for versions 8.18.6, 8.19.3, and 9.0.6.

For Users that Cannot Upgrade:

To resolve the issue for users that cannot upgrade, Beats can be uninstalled and re-installed using the install script from a patched version.

Note: Beats keeps its state in the data path. When re-installing Beats, users need to make sure they have permissions to move the Beats data folder to the new location in C:\Program Files. The new installation script will move the data folder. In the event the script fails, the user will need to manually copy the data folder - this is likely due to permission error.

Step-by-step using Filebeat as an example:

Download the latest Filebeat (e.g. 9.1.1)
Start a Powershell as administrator
Stop the Filebeat service: stop-service filebeat
Extract the downloaded filebeat: Expand-Archive .\filebeat-9.1.1-windows-x86_64.zip
Copy the install script onto the current Filebeat installation: cp .\filebeat-9.1.1-windows-x86_64\filebeat-9.1.1-windows-x86_64\install-service-filebeat.ps1 'C:\Program Files\Filebeat\install-service-filebeat.ps1'
Uninstall the Windows service: .\uninstall-service-filebeat.ps1
Re-install using the new script: 'C:\Program Files\Filebeat\install-service-filebeat.ps1'

Severity: CVSSv3.1: 7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2025-25011

________________________________________________________________________________________________

Change log

2025-08-21:

Updated “Affected Verions” to coincide with the maintenance releases
Updated wording on the “Affected Configurations” to clearly state this is caused by the Windows install script. Stated that Elastic Agent is not affected
Updated “Solutions and Mitigations” to include the maintenance release versions
Added section “For Users that Cannot Upgrade” with guidance on how to use the patched install script with an older version of the product

Topic		Replies	Views
ESA-2025-12 Detail Questions Beats winlogbeat	1	45	August 28, 2025
Upgrade filebeat,metricbeat and winlogbeat from 5.5.1 version to 6.2.3 version in windows servers Beats	4	870	August 29, 2018
Filebeat 6.5 uninstall windows Beats filebeat	3	5243	October 3, 2019
Windows Mass Beats Deployment Beats beats-module	4	373	January 28, 2023
Filebeat services fail to start on Windows after an upgrade 8.17.0 Beats filebeat	0	48	December 12, 2024