Enterprise search and security company Elastic has publicly denied a recent claim by AshES Cybersecurity regarding a significant zero-day vulnerability in its Defend endpoint detection and response (EDR) product. This rebuttal comes after AshES Cybersecurity published a blog post alleging the discovery of a remote code execution (RCE) flaw that could allow attackers to bypass critical EDR protections. Elastic’s Security Engineering team, following a comprehensive investigation, stated they could not find any evidence to support the claims of a vulnerability that bypasses monitoring and enables RCE, setting up a clear conflict between the two companies.
According to AshES Cybersecurity’s detailed write-up, the alleged vulnerability stems from a NULL pointer dereference flaw within Elastic Defender’s kernel driver, specifically elastic-endpoint-driver.sys. They claimed this flaw could be exploited to bypass EDR monitoring, facilitate RCE with reduced visibility, and enable persistence on an infected system. The company’s researcher asserted that this bug was not merely a stability issue but a serious security risk, stating, “The Elastic driver 0-day is not just a stability bug. It enables a full attack chain that adversaries can exploit inside real environments.”
To substantiate their findings, the AshES Cybersecurity researcher documented a proof-of-concept (PoC) demonstration, which involved using a custom driver to trigger the flaw under controlled conditions. They further published two videos to support their claim: one showing the Windows operating system crashing due to the driver’s failure, and another depicting the alleged exploit successfully launching the calc.exe program without being detected or blocked by Elastic’s Defend EDR. These public demonstrations were intended to serve as irrefutable evidence of the vulnerability’s existence and its potential impact.
In a strong counter-statement, Elastic asserted that it was unable to reproduce the reported vulnerability or its described effects after evaluating AshES Cybersecurity’s claims and reports. Elastic highlighted that the multiple reports it received from the cybersecurity firm for the alleged zero-day flaw “lacked evidence of reproducible exploits.” The company’s bug bounty triage team and security engineers reportedly spent considerable time attempting to validate the reports but were unsuccessful. Elastic’s statement also pointed out that researchers are typically required to share a reproducible proof-of-concept, which AshES Cybersecurity had reportedly chosen not to provide.
The dispute ultimately revolves around the principles of coordinated disclosure. Elastic stated that the researcher did not share the full details of the vulnerability, instead deciding to make their claims public, which it considers a deviation from responsible disclosure practices. In contrast, AshES Cybersecurity confirmed its decision not to send the PoC to Elastic or its affiliates. Elastic reaffirmed its commitment to security, noting that it takes all security reports seriously and has paid out over $600,000 to researchers through its bug bounty program since 2017.
Reference:
