CVE-2025-37731

MEDIUM severity · CVSS 6.8 · Improper authentication

6.8CVSS MEDIUM

Summary

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products we track (1)

Elasticsearch

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063Advisory