CVE-2025-37736
📋 TL;DR
This CVE describes an improper authorization vulnerability in Elastic Cloud Enterprise where the built-in readonly user can access privileged APIs that should be restricted. This allows privilege escalation where a low-privilege user can perform administrative actions like creating/deleting service accounts, managing API keys, and modifying user accounts. Organizations running vulnerable versions of Elastic Cloud Enterprise are affected.
💻 Affected Systems
- Elastic Cloud Enterprise
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with readonly access could create administrative service accounts, delete existing accounts, modify user permissions, and take full control of the Elastic Cloud Enterprise deployment.
Likely Case
Malicious insiders or compromised readonly accounts could escalate privileges to perform unauthorized administrative actions, potentially disrupting operations or exfiltrating sensitive data.
If Mitigated
With proper network segmentation and access controls, the impact is limited to authorized users who already have some level of access to the system.
🎯 Exploit Status
Exploitation requires authenticated access as the readonly user. The vulnerability is in authorization logic, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.3 and 4.0.3
Vendor Advisory: https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-3-8-3-and-4-0-3-security-update-esa-2025-22/383132
Restart Required: Yes
Instructions:
1. Backup your ECE deployment. 2. Update to ECE version 3.8.3 or 4.0.3. 3. Restart the ECE services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict readonly user access
allTemporarily disable or restrict the built-in readonly user account until patching can be completed.
# Review and modify readonly user permissions in ECE configuration
# Consider disabling the account if not needed
🧯 If You Can't Patch
- Implement strict network access controls to limit ECE management interface access to trusted administrators only.
- Monitor and audit all API calls made by readonly users for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check your ECE version. If running version before 3.8.3 (for 3.x) or before 4.0.3 (for 4.x), you are vulnerable.Check Version:
ece versionVerify Fix Applied:
After updating, verify the version shows 3.8.3 or 4.0.3 and test that readonly users cannot access the affected APIs.📡 Detection & Monitoring
Log Indicators:
- API calls to affected endpoints from readonly users
- Unauthorized service account creation/deletion
- Unexpected user permission changes
Network Indicators:
- HTTP POST/DELETE/PATCH requests to affected API paths from non-admin accounts
SIEM Query:
source="ece-logs" AND (user="readonly" AND (path IN ("/platform/configuration/security/service-accounts", "/users", "/user", "/users/auth/keys")))