CVE-2024-52976 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2024-52976?

CVE-2024-52976 has a CVSS score of 4.4 (MEDIUM). This vulnerability allows local attackers with the ability to modify osqueryd configurations to execute arbitrary code via parameter injection in Elastic Agent's subprocess. It affects Elastic Agent installations where osqueryd is configured and accessible to local users. Attackers need existing local access to exploit this vulnerability.

📋 TL;DR

This vulnerability allows local attackers with the ability to modify osqueryd configurations to execute arbitrary code via parameter injection in Elastic Agent's subprocess. It affects Elastic Agent installations where osqueryd is configured and accessible to local users. Attackers need existing local access to exploit this vulnerability.

💻 Affected Systems

Products:

Elastic Agent

Versions: Versions before 7.17.25 and 8.15.4

Operating Systems: All supported platforms (Linux, Windows, macOS)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when osqueryd is configured and local users have write access to osqueryd configuration files.

📦 What is this software?

Elastic Agent by Elastic

View all CVEs affecting Elastic Agent →

Elastic Agent by Elastic

View all CVEs affecting Elastic Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Local user gains elevated privileges or executes unauthorized code within the Elastic Agent context, potentially accessing sensitive data.

🟢

If Mitigated

Limited impact due to proper access controls preventing local users from modifying osqueryd configurations.

🌐 Internet-Facing: LOW - Requires local access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local attackers with configuration modification privileges can exploit, but requires specific access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to modify osqueryd configurations; parameter injection technique needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.17.25 and 8.15.4

Vendor Advisory: https://discuss.elastic.co/t/elastic-agent-7-17-25-and-8-15-4-security-update-esa-2024-39/377708

Restart Required: Yes

Instructions:

1. Download Elastic Agent 7.17.25 or 8.15.4 from Elastic's official distribution channels. 2. Stop the Elastic Agent service. 3. Install the updated version. 4. Restart the Elastic Agent service.

🔧 Temporary Workarounds

Restrict osqueryd configuration access

linux

Limit write permissions on osqueryd configuration files to trusted users only.

chmod 640 /etc/osquery/osquery.conf
chown root:osquery /etc/osquery/osquery.conf

Disable osqueryd if not needed

all

Remove or disable osqueryd integration in Elastic Agent configuration.

Remove osqueryd configuration from elastic-agent.yml

🧯 If You Can't Patch

Implement strict access controls on osqueryd configuration files to prevent unauthorized modifications.
Monitor for suspicious modifications to osqueryd configuration files and Elastic Agent subprocess activity.

🔍 How to Verify

Check if Vulnerable:

Check Elastic Agent version and verify if osqueryd is configured and accessible to local users.

Check Version:

elastic-agent version

Verify Fix Applied:

Confirm Elastic Agent version is 7.17.25 or higher for 7.x, or 8.15.4 or higher for 8.x.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modifications to osqueryd configuration files
Unexpected subprocess execution from Elastic Agent

Network Indicators:

Unusual outbound connections from Elastic Agent processes

SIEM Query:

process.name:osqueryd AND event.action:executed AND user.name NOT IN (trusted_users)

📊 Metadata

CVE ID: CVE-2024-52976

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-829

EPSS Score: 0.02% exploit probability (5.4th percentile)

Published: May 1, 2025

Last Updated: October 1, 2025

🔗 References

https://discuss.elastic.co/t/elastic-agent-7-17-25-and-8-15-4-security-update-esa-2024-39/377708 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52976, you might also want to check these: