Elastic Cloud Enterprise Improper Authorization (ESA-2025-22)
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:
post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name}
Affected Versions:
Elastic Cloud Enterprise versions after 3.8.0 and up to including 3.8.2
Elastic Cloud Enterprise versions after 4.0.0 and up to including 4.0.2
Affected Configurations:
This issue affects all ECE users.
Solutions and Mitigations:
Users should upgrade to version 3.8.3 and 4.0.3. In addition to the upgrade, Elastic Cloud Enterprise users should investigate whether there exist any users or service accounts that have been created by the readonly user and potentially delete them. The following tooling offers this functionality. Elastic advises extreme caution while deleting users, to ensure that only the necessary ones are deleted.
For Users that Cannot Upgrade:
Users that cannot upgrade, should also use the provided tooling to list users or service accounts that have been created by the readonly user and potentially delete them.
Severity: CVSSv3.1: 8.8(High) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H}
CVE ID: CVE-2025-37736