CVE-2025-37731

Published: Dec 15, 2025Modified: Dec 18, 2025

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

Affected (4)

Products: Elastic: Elasticsearch

Elastic

1 product

Elasticsearch

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 7.0.0 to 7.17.29
Elastic Elasticsearch	From 8.0.0 to 8.19.8
Elastic Elasticsearch	From 9.0.0 to 9.1.8
Elastic Elasticsearch	From 9.2.0 to 9.2.2

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (1)

https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063

Source: security@elastic.co

Vendor Advisory

Timeline

No history available yet.