Elastic Cloud Enterprise Flaw Lets Attackers Run Malicious Commands
gbhackersElastic has released a critical security update for Elastic Cloud Enterprise (ECE) addressing a template engine injection flaw that could allow attackers with admin privileges to execute arbitrary commands and exfiltrate sensitive data.
Tracked as CVE-2025-37729 and rated CVSS 9.1 (Critical), the issue affects ECE versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1.
Users are urged to upgrade immediately to ECE 3.8.2 or 4.0.2, as no workarounds are available.
The vulnerability stems from improper neutralization of special elements in a template engine context, specifically where Jinjava variables are evaluated.
| Field | Details |
| CVE ID | CVE-2025-37729 |
| Severity | CVSSv3.1 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Affected Products | Elastic Cloud Enterprise (ECE) |
| Affected Versions | 2.5.0–3.8.1; 4.0 ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE