CVE-2025-37736: 
Elastic Cloud Enterprise vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-37736) was discovered in Elastic Cloud Enterprise (ECE) that allows privilege escalation through improper authorization. The vulnerability affects ECE versions after 3.8.0 up to and including 3.8.2, and versions after 4.0.0 up to and including 4.0.2, impacting all ECE users. The flaw was disclosed on October 31, 2025, and received a CVSS score of 8.8 (Elastic Discussion, Security Online).

The vulnerability stems from improper access control on critical API endpoints related to user and service account management. The built-in readonly user can invoke multiple restricted API calls that should require administrative privileges. The affected endpoints include operations for managing service accounts, user creation, authentication keys, and user modifications. These operations span across multiple API paths including platform configuration, security service accounts, and user management functionalities (Security Online).

The vulnerability allows a readonly user to perform unauthorized operations and escalate privileges within managed Elastic environments. An attacker who gains access to the readonly account or any associated API key could potentially create, modify, or delete user accounts, inject new API keys, and escalate privileges to gain full administrative access to an ECE environment (Security Online).

Elastic has released patched versions 3.8.3 and 4.0.3 to address this vulnerability. Users are strongly advised to upgrade to these versions. Additionally, administrators should investigate and potentially delete any users or service accounts created by the readonly user. For organizations unable to upgrade immediately, Elastic has provided an open-source cleanup utility to help identify and remove unauthorized accounts (Security Online).