Elastic Defend Improper Preservation of Permissions (ESA-2025-23)
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.
Affected Versions:
Versions up to and including 8.19.5, and versions from 9.0.0 up to and including 9.1.5.
Affected Configurations:
This affects Windows Systems only. This includes Windows Server.
Solutions and Mitigations:
Users should upgrade to version 8.19.6, 9.1.6, or 9.2.0.
For Users that Cannot Upgrade:
Windows 11 24H2 includes changes which make this issue harder to exploit. Users who are unable to upgrade Defend can should consider upgrading to Windows 11 24H2 or later.
Severity: CVSSv3.1: 7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2025-37735
______________________________________________________________
Changelog:
- 2025-11-17: Added Section “Affected Configurations” highlighting that this can affect Windows Server