CVE-2025-37736: 
Elastic Cloud Enterprise vulnerability analysis and mitigation

CVE-2025-37736 is a high-severity privilege escalation vulnerability discovered in Elastic Cloud Enterprise (ECE). The vulnerability was disclosed on October 31, 2025, affecting ECE versions after 3.8.0 up to and including 3.8.2, and after 4.0.0 up to and including 4.0.2. This improper authorization flaw allows a readonly user to perform unauthorized operations and escalate privileges within managed Elastic environments (Elastic Advisory, Security Online).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper access control on several critical API endpoints related to user and service account management. The readonly user can invoke multiple restricted API calls including user creation, authentication keys management, and service account operations that should normally require administrative privileges (Elastic Advisory).

The vulnerability affects all ECE users across on-premises and hybrid deployments. An attacker who gains access to the readonly account or any associated API key could potentially create, modify, or delete user accounts, inject new API keys, and escalate privileges to gain full administrative access to an ECE environment (Security Online).

Elastic has released patched versions 3.8.3 and 4.0.3 to address this vulnerability. Organizations are advised to upgrade to these versions immediately. Additionally, administrators should investigate and potentially remove any users or service accounts created by the readonly user. Elastic has provided an open-source cleanup utility on GitHub to help identify and remove unauthorized accounts (Security Online).