Researchers have revealed a zero-day flaw in Elastic’s Endpoint Detection and Response platform, a discovery that places thousands of enterprise networks at immediate risk. The vulnerability allows attackers to turn the software’s own defenses against its host, opening the door to malicious code execution and repeated system crashes.
The discovery, made by AshES Cybersecurity, centers on a Microsoft-signed kernel driver called elastic-endpoint-driver.sys, which is a core component of Elastic Defend and Elastic Agent. According to the researchers, under specific conditions, improper memory handling in this driver enables attackers to bypass EDR monitoring, gain remote code execution privileges, establish persistence, and ultimately cause repeated system crashes known as Blue Screens of Death (BSOD).
The vulnerability has been classified as a CWE-476: NULL Pointer Dereference, where a user-controllable pointer is passed into a kernel routine without adequate validation. If the pointer is null, freed, or corrupted, the system immediately crashes at the kernel level. AshES Cybersecurity demonstrated a working proof-of-concept in which a custom loader bypasses Elastic’s protections, installs a malicious kernel driver, and forces the vulnerable driver into exhibiting malware-like behavior. Once exploited, the flaw allows a complete attack chain, from bypassing defenses to executing privileged denial-of-service attacks.
AshES Cybersecurity first identified the flaw on June 2, 2025. An initial disclosure was made through HackerOne a little over a week later, on June 11, followed by another submission to the Zero Day Initiative on July 29. After receiving no meaningful response, the researchers decided to make their findings public on August 16. The problem was confirmed in version 8.17.6 of the driver, and analysts warn that newer releases appear to carry the same weakness since no corrective update has been issued.
For businesses that rely on Elastic’s security tools, the implications are troubling. The flaw means attackers could remotely exploit the software to knock out defenses across multiple endpoints, leaving entire networks exposed. Even more concerning is that the compromised component bears a legitimate Microsoft signature, effectively weakening the trust framework organizations rely on when validating signed kernel drivers.
In its statement, AshES Cybersecurity underscored the severity of the issue, noting that “a defender that can be blinded, disabled, or crashed on demand is indistinguishable from malware.” Until Elastic delivers a fix, customers remain exposed to a live zero-day that transforms a trusted security solution into a potential enterprise-wide liability.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
