Critical RCE Vulnerability in Elastic Cloud Enterprise via Jinjava Template Injection
Elastic Cloud Enterprise (ECE) was found to contain a critical remote code execution (RCE) vulnerability, identified as CVE-2025-37729, which carries a CVSS score of 9.1, indicating its high severity. The flaw arises from improper neutralization of special elements in the Jinjava template engine, a component used within ECE’s configuration templates. Attackers with administrative access can exploit this vulnerability by submitting specially crafted strings that are evaluated by Jinjava, allowing them to execute arbitrary commands on the server. This could lead to exfiltration of sensitive information and full compromise of affected ECE deployments. The vulnerability specifically impacts ECE versions 2.5.0 up to and including 3.8.1, and versions 4.0.0 up to and including 4.0.1. Exploitation requires access to the ECE admin console and interaction with deployments configured with the Logging+Metrics feature enabled. By leveraging this flaw, a malicious actor can inject code through deployment plans and retrieve the results via ingested logs, effectively achieving server-side code execution. Elastic has responded by releasing patched versions 3.8.2 and 4.0.2, which address the issue by hardening the Jinjava variable evaluation process. The vulnerability was publicly disclosed in mid-October 2025, and security advisories urge all affected organizations to update their ECE installations immediately. The flaw is considered remotely exploitable, but only by users with administrative privileges, which somewhat limits the attack surface but does not diminish the potential impact. No evidence of exploitation in the wild has been reported at the time of disclosure, but the critical nature of the vulnerability has prompted urgent action from Elastic and the security community. The vulnerability was reported by a member of the Elastic security team, and details were published in both vendor advisories and CVE databases. Organizations using Elastic Cloud Enterprise are advised to review their access controls and ensure that only trusted personnel have administrative access. The incident highlights the risks associated with template injection vulnerabilities in cloud management platforms. Security teams are encouraged to monitor for any suspicious activity in ECE admin consoles and to apply the recommended patches without delay. The disclosure has also prompted discussions about the importance of input sanitization in template engines used in enterprise software. Elastic’s swift response and detailed advisories have been commended by the cybersecurity community. The vulnerability underscores the need for regular security reviews and prompt patch management in cloud environments.
Timeline
Oct 13, 2025
Elastic releases patched ECE versions 3.8.2 and 4.0.2
Alongside the disclosure, Elastic released fixes for CVE-2025-37729 in Elastic Cloud Enterprise versions 3.8.2 and 4.0.2. The company also advised customers to monitor logs, review admin access, and disable Logging+Metrics on untrusted deployments.
Oct 13, 2025
Elastic discloses CVE-2025-37729 in Elastic Cloud Enterprise
Elastic disclosed a critical remote code execution vulnerability, CVE-2025-37729, affecting Elastic Cloud Enterprise via Jinjava template injection. The flaw impacts ECE versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1, and requires administrative access to exploit.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Adobe Experience Manager Flaw CVE-2025-54253 Under Active Exploitation
A critical security vulnerability, tracked as CVE-2025-54253 with a CVSS score of 10.0, has been identified in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. The flaw is a misconfiguration that exposes the /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation. This allows attackers to execute arbitrary system commands on affected servers with a single crafted HTTP request, leading to the possibility of full remote code execution. Adobe addressed the vulnerability in version 6.5.0-0108, released in early August 2025, and also patched a related issue, CVE-2025-54254, with a CVSS score of 8.6. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-54253 to its Known Exploited Vulnerabilities (KEV) catalog, confirming evidence of active exploitation in the wild. CISA has issued an emergency alert, urging all Federal Civilian Executive Branch (FCEB) agencies and other organizations to apply the necessary patches by November 5, 2025, to mitigate the risk. Security firm FireCompass highlighted the severity of the flaw, noting that the exposed endpoint can be abused without authentication, making exploitation trivial for attackers. Adobe has acknowledged the existence of a publicly available proof-of-concept for both CVE-2025-54253 and CVE-2025-54254, increasing the urgency for remediation. While specific details of real-world attacks have not been disclosed, the active exploitation status underscores the immediate threat to organizations running vulnerable AEM instances. The vulnerability's critical nature is amplified by its potential to allow attackers to gain complete control over affected systems. Organizations are strongly advised to review their deployments and ensure all relevant patches are applied without delay. The exposure of such a high-impact endpoint in a widely used enterprise content management platform raises significant concerns for both public and private sector entities. The incident demonstrates the ongoing risk posed by misconfigurations and insufficient input validation in complex web applications. Security teams should also review access logs for signs of exploitation attempts and consider additional monitoring of AEM endpoints. The rapid response from CISA and Adobe highlights the importance of coordinated vulnerability disclosure and mitigation in the face of active threats. Failure to address this vulnerability could result in severe compromise of sensitive data and business operations. The situation remains dynamic, and organizations should stay alert for further advisories or indicators of compromise related to CVE-2025-54253.
1 months ago
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
1 months ago
Critical RCE Vulnerability in Cisco Unified Contact Center Express via Java RMI
A critical remote code execution (RCE) vulnerability has been identified in Cisco Unified Contact Center Express (CCX), tracked as CVE-2025-20354, with a CVSS score of 9.8. The flaw resides in the Java Remote Method Invocation (RMI) process and the CCX Editor, allowing unauthenticated attackers to upload arbitrary files and execute commands with root privileges on affected systems. The vulnerability is caused by improper authentication mechanisms associated with specific CCX features, making exploitation possible without prior access or credentials. Successful exploitation enables remote attackers to gain full control over the underlying operating system, significantly increasing the risk of compromise for organizations using vulnerable Cisco CCX deployments. Cisco has acknowledged the issue and affected products, and organizations are urged to review their exposure and apply available mitigations or patches to prevent unauthorized root access and potential system takeover.
1 months ago