CVE-2025-0712
📋 TL;DR
This CVE describes an uncontrolled search path element vulnerability in Elastic Beats Windows installer that allows local privilege escalation. Attackers with local access can exploit insecure directory permissions to move and delete arbitrary files, potentially gaining SYSTEM privileges. This affects Elastic Beats users on Windows systems.
💻 Affected Systems
- Elastic Beats
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Local authenticated user escalates to SYSTEM privileges, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
With proper directory permissions and least privilege principles, exploitation requires administrative access, significantly reducing attack surface.
🎯 Exploit Status
Requires local access and knowledge of vulnerable directory paths. Exploitation involves manipulating directory permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.0
Vendor Advisory: https://discuss.elastic.co/t/beats-windows-installer-9-1-0-security-update-esa-2025-12/380558
Restart Required: Yes
Instructions:
1. Download Elastic Beats 9.1.0 or later from official Elastic repository. 2. Uninstall previous vulnerable version. 3. Install updated version. 4. Restart system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict directory permissions
windowsManually secure the installation directory with proper ACLs to prevent unauthorized write access.
icacls "C:\Program Files\Elastic\Beats" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Use least privilege accounts
windowsEnsure Elastic Beats services run with minimal necessary privileges, not as SYSTEM.
sc config "beats-service-name" obj= "NT AUTHORITY\LocalService"
🧯 If You Can't Patch
- Implement strict directory permissions on Elastic Beats installation paths
- Monitor for suspicious file operations in Elastic Beats directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check Elastic Beats version: 'beats-version' command or check installed version in Windows Programs and Features. Versions below 9.1.0 are vulnerable.Check Version:
beats-versionVerify Fix Applied:
Verify version is 9.1.0 or higher using 'beats-version' command. Check directory permissions on installation path are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file operations in Elastic Beats directories
- Privilege escalation attempts from Beats service accounts
- Unexpected process creation from Beats directories
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND (NewProcessName contains "beats" OR ParentProcessName contains "beats") AND SubjectUserName != "SYSTEM"