Critical template injection flaw in Elastic Cloud Enterprise enables remote code execution

Elastic is reporting a critical vulnerability in its Elastic Cloud Enterprise (ECE) platform that could allow administrators with malicious intent to execute arbitrary commands and exfiltrate sensitive data from enterprise deployments. 

The flaw is tracked as CVE-2025-37729 (CVSS score 9.1) and is caused by improper neutralization of special elements used in the Jinjava template engine. ECE fails to properly sanitize specially crafted strings containing Jinjava variables during the processing of deployment plans within the admin console. 

Attackers with administrative privileges can inject malicious payloads into deployment plans, leading to code execution on the ECE platform. The results of the commands can be extracted through ingested logs, creating a feedback channel that enables both data theft and further system compromise. Even if exploitation requires privileged access to the admin console and a deployment with the Logging+Metrics feature enabled, this is still critical especially on shared or multi-tenant environments where a compromised admin account could lead to massive impact.

Affected versions of Elastic Cloud Enterprise:

• ECE versions from 2.5.0 up to and including 3.8.1
• ECE versions from 4.0.0 up to and including 4.0.1

Versions that are not affected:

• ECE version 3.8.2 and later versions
• ECE version 4.0.2 and later versions

Organizations should prioritize upgrades to patched versions. For those unable to patch immediately, organizations can isolate the admin interface, implement multi-factor authentication for all administrative accounts and minimize number of admin accounts.