// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-18DTG 0600Z
Endpoint Security Vendor

Elastic

18 PUBLIC SECURITY EVENTS ON FILE · 2023-11-06 — 2026-05-28

Publicly-known security events concerning Elastic — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Elastic sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Elastic competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 10 vuln disclosures · 7 research pocs · 1 incident.

2026-05-28
vuln disclosure
CVE-2026-49095: Kibana Fleet Agent Policy Input Validation Flaw Allows Privilege EscalationCVE-2026-49095
A vulnerability in Kibana Fleet agent policy management allows authenticated users with Fleet management privileges to inject unvalidated values into configuration overrides. This can cause Elastic Agents to receive API keys with elevated Elasticsearch privileges, granting unauthorized access to sensitive security indices.
2026-04-20
research poc
Beatrice.py Tool Patches x64 Binaries with Alternative Opcodes to Evade AV and YARA DetectionBeatrice.py
Beatrice.py is a Python tool that modifies machine code in x64 binaries by substituting assembly instructions with functionally equivalent alternative opcodes of the same size. It aims to evade signature-based detection such as YARA rules and some antivirus solutions without altering program behavior. The tool was tested against Windows Defender and Elastic YARA rules in April 2026, showing mixed but often successful evasion for various C2 payloads and tools like Mimikatz.
2026-03-18
vuln disclosure
Elastic Agent osqueryd Parameter Injection Allows Local Arbitrary Code ExecutionCVE-2024-52976
CVE-2024-52976 is a high-severity vulnerability in Elastic Agent's osqueryd subprocess that allows local attackers with low privileges to execute arbitrary code via parameter injection. The flaw arises from inclusion of functionality from an untrusted control sphere, requiring the ability to modify osqueryd configurations. This could lead to complete compromise of the affected endpoint.
2025-11-21
vuln disclosure
Elastic Endpoint Kernel Driver NULL Pointer Dereference VulnerabilityASHES-2025-001
A vulnerability in the Microsoft-signed elastic-endpoint-driver.sys allows a local attacker to trigger a NULL or invalid pointer dereference in a kernel free routine, causing a Blue Screen of Death (BSOD) and persistent denial of service. The flaw was used as part of a broader attack chain including EDR bypass, low-privilege RCE, and persistence. Elastic has disputed the vulnerability, and no CVE has been assigned.
2025-11-13
research poc
Process Argument Spoofing via TLS Callbacks Evades EDR DetectionTLS-ProcArgs-Spoofing
A proof-of-concept demonstrates using Thread Local Storage (TLS) callbacks to modify process command-line arguments after kernel-level EDR logging but before main() execution. This allows malicious arguments to be hidden from security tools that monitor process creation, evading detection without suspicious patterns like suspended processes or cross-process memory writes.
2025-11-06
research poc
Elastic EDR Call Stack Signature Evasion Using Call GadgetsCall Gadget Call Stack Evasion
A technique has been demonstrated to evade Elastic EDR's call stack signature detections by using call gadgets that manipulate the call stack to bypass behavioral detection. This method alters expected call stack patterns, complicating detection. No known in-the-wild exploits exist, but it highlights a detection gap.
2025-10-31
research poc
Researchers Demonstrate Linux Rootkit Evading Elastic Security EDRSingularity Linux Rootkit
Security researchers developed a proof-of-concept Linux rootkit named Singularity that bypasses Elastic Security's EDR detection. The rootkit uses multiple evasion techniques including string obfuscation, symbol name randomization, module fragmentation, and direct syscalls to avoid static and behavioral detection. This demonstrates weaknesses in current kernel-level threat detection methodologies.
2025-10-14
vuln disclosure
Elastic Agent Leaks Secrets in Debug Log ModeCVE-2024-37283
CVE-2024-37283 is a vulnerability in Elastic Agent where secrets from the agent policy elastic-agent.yml are leaked when the log level is set to debug. By default, the log level is info, which prevents the leak. The issue was disclosed in a security update for Elastic Agent 8.15.0.
2025-08-16
vuln disclosure
Zero-Day Vulnerability in Elastic EDR Driver Allows BSOD and Potential BypassElastic EDR NULL Pointer Dereference
A zero-day vulnerability in Elastic's endpoint driver (elastic-endpoint-driver.sys) was disclosed, involving a NULL pointer dereference that can cause a Blue Screen of Death (BSOD). The researcher claims it can be used to bypass EDR detection, execute code, and establish persistence, though Elastic disputes the bypass and RCE claims. The flaw affects version 8.17.6 and likely later versions, with no patch available.
2025-07-30
vuln disclosure
CVE-2025-25011: Elastic Beats Uncontrolled Search Path Element Leading to Local Privilege EscalationCVE-2025-25011
CVE-2025-25011 is a high-severity vulnerability in Elastic Beats version 8.0.0 caused by insecure directory permissions. An attacker with local low-privilege access can exploit uncontrolled search path elements to move or delete arbitrary files, potentially escalating to SYSTEM privileges. No public exploits have been reported yet, but the flaw poses a significant risk to environments using Beats for data shipping and monitoring.
2025-06-12
research poc
MoveEDR: PowerShell script to disable EDRs by moving files at boot via PendingFileRenameOperationsMoveEDR
A PowerShell script called MoveEDR was published that leverages the Windows PendingFileRenameOperations registry key to move or delete EDR files before they start, effectively disabling endpoint detection. It requires local administrator privileges and targets multiple EDR products, including CrowdStrike, Elastic, McAfee, Trellix, Trend Micro, and Windows Defender. The technique is a proof-of-concept demonstrating a built-in Windows mechanism to bypass tamper protection.
2025-05-01
vuln disclosure
Elastic Agent and Elastic Defend Local API Key DisclosureCVE-2023-46669
A vulnerability in Elastic Agent and Elastic Defend (formerly Elastic Endpoint Security) exposes sensitive API key information to local unauthorized actors. This could lead to loss of confidentiality and allow impersonation of the endpoint to the Elastic Stack. The issue was internally discovered by Elastic engineers with no evidence of exploitation.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-06-27
research poc
Using Signed Minifilters to Disable EDR SystemsMinifilter EDR Disable
A security researcher demonstrates a technique to disable EDR systems by loading a custom signed minifilter driver that blocks access to EDR-related files, preventing EDR processes from starting. The method was tested against Microsoft Defender and Elastic EDR, allowing execution of tools like Mimikatz without detection.
2024-02-29
vuln disclosure
Elastic Agent Tamper Protection Bypass via Force Flag EnrollmentElastic-Agent-Tamper-Protection-Bypass-Force-Flag
A weakness in Elastic Agent allows a local administrator to enroll a new agent over an existing installation using the force flag, bypassing Agent Tamper Protection that requires an uninstall token for removal. This could let an attacker replace a protected agent with one under their control, undermining endpoint security.
2023-12-12
vuln disclosure
Elastic Agent Logs May Contain Sensitive Information Due to Logging of Raw Events on Ingestion FailureCVE-2023-6687
Elastic disclosed that Elastic Agent would log raw events at WARN or ERROR level when ingestion to Elasticsearch failed with certain 4xx HTTP status codes. This could result in sensitive or private information being written to the agent's own logs. The issue is resolved in versions 8.11.3 and 7.17.16 by limiting such logging to DEBUG level, which is disabled by default.
2023-11-06
vuln disclosure
Elastic Endpoint Debug Logging Exposes API Keys in ElasticsearchCVE-2023-46668
A vulnerability in Elastic Endpoint versions 7.9.0 through 8.10.3, when debug logging is enabled and logs are collected by Elastic Agent, causes Elastic Agent API keys to be written in plaintext to Elasticsearch. This could allow an attacker with access to those logs to read sensitive endpoint artifacts and write arbitrary data.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Elastic ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →