What zero-day vulnerability was discovered in Elastic's EDR software?

Cybersecurity researchers at Ashes Cybersecurity discovered a zero-day vulnerability in Elastic's Endpoint Detection and Response (EDR) software. The vulnerability affects the Microsoft-signed kernel driver 'elastic-endpoint-driver.sys' and has not been assigned a CVE number or CVSS score.

Which Elastic EDR component is affected by this vulnerability?

The vulnerability affects the Microsoft-signed kernel driver 'elastic-endpoint-driver.sys' that is part of Elastic's Endpoint Detection and Response (EDR) software.

Who discovered the Elastic EDR zero-day vulnerability?

The vulnerability was discovered by cybersecurity researchers at Ashes Cybersecurity Pvt Ltd during legitimate user-mode testing operations. The company is a paying customer of Elasticsearch EDR.

Has Elastic responded to or acknowledged this vulnerability?

No, there is no comment or acknowledgement of the issue from Elastic regarding this zero-day vulnerability in their EDR software.

Is there a patch available for the Elastic EDR vulnerability?

No, there is no patch currently available for this vulnerability. The researchers claim that all versions subsequent to 8.17.6 remain affected due to the lack of a security fix.

What makes this Elastic EDR vulnerability particularly concerning?

This vulnerability is particularly concerning because it affects security software designed to protect endpoints, allowing attackers to bypass the very security solutions meant to defend against them. The ability to gain kernel-level access and establish persistence makes this a critical security issue.

Can the Elastic EDR vulnerability be reliably exploited?

Yes, according to the researchers, the system crash caused by the NULL pointer dereference can be reliably and repeatedly triggered under specific conditions, making it a consistent attack vector.

What is the impact of the denial of service aspect of this vulnerability?

The denial of service aspect can cause system crashes through the NULL pointer dereference, potentially disrupting endpoint protection and making systems vulnerable while the EDR service is unavailable.

Why hasn't this vulnerability been assigned a CVE number?

The vulnerability has not been assigned a CVE number or CVSS score, likely because it's a recently discovered zero-day and the disclosure process with Elastic may still be ongoing, or because Elastic has not yet acknowledged the issue.

What should organizations using Elastic EDR do about this vulnerability?

Organizations using Elastic EDR should monitor for official security advisories from Elastic, implement additional security measures where possible, and be prepared to apply patches as soon as they become available. Since no patch is currently available, organizations should assess their risk and consider additional protective measures.

Advisory

Researchers report zero-day vulnerability in Elastic Endpoint Detection and Respons Driver that enables system compromise

Q: When was the Elastic EDR zero-day vulnerability discovered?

The vulnerability was discovered on June 2, 2025, during legitimate user-mode testing operations conducted by Ashes Cybersecurity Pvt Ltd, who are a paying customer of Elasticsearch EDR.

Q: Which versions of Elastic EDR are affected by this zero-day?

The affected version is 8.17.6 (the tested version). The researchers claim that all subsequent versions are currently affected since no patch is available from Elastic.

published: Aug. 17, 2025

Take action: We don't have a great advice for this one. It's an unpatched flaw in Elastic EDR. If you are using that tool, reach out to the vendor for more information.

Learn More

Cybersecurity researchers at Ashes Cybersecurity are reporting a zero-day vulnerability in Elastic's Endpoint Detection and Response (EDR) software.

The vulnerability, (no CVE, no CVSS score), affects the Microsoft-signed kernel driver "elastic-endpoint-driver.sys". It was on June 2, 2025, during legitimate user-mode testing operations conducted by Ashes Cybersecurity Pvt Ltd. The company is a paying customer of Elasticsearch EDR.

The flaw is classified as a CWE-476: NULL Pointer Dereference vulnerability. Under specific conditions, the driver mishandles memory operations inside privileged kernel routines, causing a system crash that can be reliably and repeatedly triggered.

The exploit can enable attackers to bypass Elastic's security solutions (Elastic Agent + Elastic Defend), gain remote code execution capabilities, establish persistence by planting a custom kernel driver that interacts with the vulnerable Elastic component and cause denial of service attacks.

Affected version is 8.17.6 (tested version). The researchers claim that all subsequent versions are currently affected since no patch is available.

There is no comment or acknowledgement of the issue from Elastic even after multiple attempts to report the flaw to the company.

Researchers report zero-day vulnerability in Elastic Endpoint Detection and Respons Driver that enables system compromise