Elastic has released urgent updates for Elastic Cloud Enterprise (ECE) to patch a critical (CVE-2025-37729) that could allow attackers with administrative access to exfiltrate sensitive information or execute arbitrary commands through template injection in the Jinjava engine. The carries a CVSS score of 9.1, underscoring its severity.
According to Elastic, “Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.”
The issue stems from improper input sanitization in the Jinjava template engine, a component used within ECE’s configuration templates. When processing user-supplied strings, Jinjava failed to safely neutralize special characters, allowing malicious payloads to be interpreted as executable expressions.
Elastic explains that the impacts Elastic Cloud Enterprise (ECE) in two major version ranges:
- Versions 2.5.0 up to and including 3.8.1
- Versions 4.0.0 up to and including 4.0.1
While exploitation requires administrative-level access, the potential impact is significant. Attackers who can access the ECE admin console and interact with deployments configured with the Logging+Metrics feature enabled can abuse the to achieve server-side code execution and data exfiltration.
“By submitting plans with specially crafted payloads it is possible to inject code to be executed and the result to be read back via the ingested logs.”
Elastic has released patched versions 3.8.2 and 4.0.2, which resolve the vulnerability by hardening Jinjava’s variable evaluation and neutralizing unsafe constructs.
Additionally, Elastic recommends monitoring for potential signs of exploitation.
“Users can monitor the request logs for malicious payloads, by using the search query: (payload.name : int3rpr3t3r or payload.name : forPath).”
Administrators should also review access controls for the ECE admin console, disable Logging+Metrics on untrusted deployments, and restrict admin privileges to trusted accounts only.
- CVE-2025-59340: Critical HubSpot’s Jinjava Engine Flaw Exposes Thousands of Websites to RCE
- Elastic Security Labs Unveils DPRK’s New macOS Malware Plot
- Cybercriminals Leverage Docusign Phishing Templates in Sophisticated Attacks
- Elastic Fixes Multiple High-Severity Vulnerabilities in Kibana and Elasticsearch
