Critical RCE Vulnerability in Elastic Cloud via Jinjava Injection

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Critical

EXECUTIVE SUMMARY:

Elastic has critical template-injection vulnerability CVE-2025-37729, CVSS 9.1 in Elastic Cloud Enterprise (ECE) where improper sanitization in the Jinjava template engine can allow a maliciously crafted template to be evaluated, enabling data exfiltration and server-side command execution; the flaw affects ECE versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1, and while exploitation requires administrative access.

RECOMMENDATION:

We strongly recommend you update Elastic Cloud Enterprise (ECE) to version 3.8.2 or 4.0.2.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/critical-elastic-cloud-flaw-cve-2025-37729-cvss-9-1-allows-rce-via-jinjava-template-injection/

Recent Advisories

SVG Attachment Delivers AsyncRAT in Colombian Judicial Phishing Campaign

October 14, 2025

Astaroth Banking Trojan Abuses Legitimate GitHub Infrastructure to Evade Security Disruptions

October 14, 2025

High Severity Privilege Escalation Vulnerability in Lenovo Dispatcher Driver

October 14, 2025

TwoNet Hacktivist Campaign Targets OT and ICS Infrastructure

October 13, 2025

Critical RCE Vulnerability in Elastic Cloud via Jinjava Injection

Recent Advisories

Report an Incident