A high-severity vulnerability has been identified in Elastic Defend on Windows hosts. The flaw, resulting from an improper preservation of permissions, could allow an attacker to trick the high-privileged Defend service into deleting arbitrary files on the system, potentially leading to system crashes, denial of service, or data loss.

The vulnerability exists within the Elastic Defend service on the Windows operating system. Due to a flaw in how file permissions are handled, a low-privileged local user can manipulate the service's operations. An attacker can exploit this by specifying a path to a critical system file, which the Defend service, running with SYSTEM-level privileges, will then delete. This type of vulnerability is often referred to as a Time-of-Check to Time-of-Use (TOCTOU) race condition or a symbolic link attack, where the attacker influences the target of a privileged file operation.

This vulnerability is rated as High severity with a CVSS score of 7.0. Exploitation could have a significant impact on business operations by compromising the availability and integrity of critical systems. An attacker could render servers or workstations unbootable by deleting essential operating system files, leading to a complete denial of service. The deletion of application data, configuration files, or security logs could also lead to data loss, disrupt business processes, and hinder forensic investigations.

Immediate Action: Organizations must apply the security updates provided by the vendor to all affected Windows hosts immediately. Prioritize patching on critical systems, such as domain controllers, database servers, and other production assets. After patching, review system and application logs for any signs of anomalous file deletion activities that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring on affected endpoints. Specifically, monitor Windows Security Event Logs (Event ID 4663) for file deletion events originating from the Elastic Defend service process. Configure alerts for any attempts to delete files in critical system directories (e.g., C:\Windows\System32). Monitor the health and integrity of the Elastic Defend agent to detect any signs of tampering.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Enforce the principle of least privilege by ensuring users do not have unnecessary local access to critical systems.
• Implement a robust File Integrity Monitoring (FIM) solution to alert on unauthorized changes or deletions of critical system and application files.
• Utilize application control solutions to prevent unauthorized executables from running, which could be used to trigger the exploit.

Public Exploit Available: false

Given the high severity rating and the potential for a complete denial of service on affected Windows systems, we strongly recommend that organizations prioritize the immediate deployment of the vendor-supplied patches. This vulnerability presents a significant risk to system availability. Although it is not currently listed on the CISA KEV catalog, its impact warrants urgent attention. All Windows endpoints running the vulnerable versions of Elastic Defend should be considered at risk and patched according to the organization's patch management policy.