Elastic Defend Improper Preservation of Permissions (ESA-2025-23)
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.
Affected Versions:
Versions up to and including 8.19.5, and versions from 9.0.0 up to and including 9.1.5.
Solutions and Mitigations:
Users should upgrade to version 8.19.6, 9.1.6, or 9.2.0.
For Users that Cannot Upgrade:
Windows 11 24H2 includes changes which make this issue harder to exploit. Users who are unable to upgrade Defend can should consider upgrading to Windows 11 24H2 or later.
Severity: CVSSv3.1: 7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2025-37735