Microsoft-signed elastic-endpoint-driver.sys vulnerable to a NULL/invalid pointer dereference in a kernel free routine, enabling reliable kernel-level denial of service and forming the basis of a broader 4-step attack chain.
AshES Cybersecurity has identified a kernel-level vulnerability in Elastic's Endpoint Detection and Response (EDR) driver
elastic-endpoint-driver.sys. Under specific conditions, user-influenced data can cause an invalid or uninitialized pointer
to be passed into a kernel free routine, resulting in a reliable Blue Screen of Death (BSOD) and
persistent endpoint denial of service.
The vulnerable driver is Microsoft-signed and ships as part of Elastic Defend / Elastic Agent. In our research lab, this flaw was used as part of a four-stage attack chain:
This advisory documents the driver-level vulnerability and impact on system stability. The end-to-end attack chain and exploitation context are described in detail in our blog posts:
ExFreePoolWithTag and the resulting BSOD). The broader attack chain (EDR bypass, RCE and persistence)
is demonstrated using a cooperating test driver in the linked research, not provided here as PoC code.
The vulnerability resides in the driver's handling of a memory-related enforcement path inside elastic-endpoint-driver.sys.
When a specific internal code path is reached, a pointer derived from earlier logic is eventually passed into the Windows pool allocator
without being validated for NULL or correctness.
In the function we refer to as sub_140012560 (name based on disassembly), the crash occurs at an offset where the driver executes:
mov edx, 52534E53h ; Tag
mov rcx, r15 ; P
call cs:ExFreePoolWithTag
In the vulnerable path, r15 may hold a NULL, invalid or otherwise corrupted pointer. In our testing, this pointer could be influenced
from user-mode activity inside an Oracle VirtualBox virtual machine, as described in Part 2 of the blog series. When this bad pointer is freed,
Windows detects the problem and halts the system with a BSOD that references elastic-endpoint-driver.sys as the faulting module.
In practice, this produces an immediate crash. In our lab, we were able to repeatedly trigger the crash from a custom kernel driver that synchronizes with the vulnerable offset (for example, via a mutex operation reaching the same code path), and in some scenarios, the affected host would repeatedly crash on boot until Elastic's driver was disabled or removed.
| Vulnerability Type | CWE-476: NULL Pointer Dereference / invalid pointer free in kernel context |
|---|---|
| Attack Vector | Local — interaction that influences the pointer later passed into ExFreePoolWithTag inside the driver |
| Privileges Required |
Local code execution. The internal PoC demonstrated in the lab uses a cooperating kernel driver that is loaded once from an
administrator context. After this setup step, the vulnerable pointer (in r15) is influenced by low-privilege
user-mode memory. No standalone low-privilege to kernel privilege escalation chain is claimed.
|
| Impact | Kernel-mode BSOD, persistent endpoint DoS; usable as a high-impact building block in a wider attack chain |
| Driver | elastic-endpoint-driver.sys, Microsoft-signed, shipped with Elastic Defend / Elastic Agent |
On affected systems, successful triggering of the vulnerable path allows a local process or malware (via a cooperating driver) to:
While the underlying bug is a kernel stability flaw (not a classic arbitrary code execution primitive by itself), the fact that it exists in a widely-deployed, Microsoft-signed security driver makes it operationally severe in real environments.
In our research environment, triggering the bug required:
r15 into ExFreePoolWithTag
The blog series shows how this primitive was integrated into a broader 4-step chain (EDR bypass → low-privilege RCE → persistence → DoS) to demonstrate real-world impact inside a lab network.
Based on our testing and third-party reporting, the vulnerable logic is present in the Elastic endpoint driver version shipped around mid-2025 (for example, builds corresponding to Elastic Defend / Elastic Agent 8.17.x), and no public patch had been identified at the time of writing.
Organizations can verify the presence of the driver at:
C:\Windows\System32\drivers\elastic-endpoint-driver.sys
Until Elastic ships an official fix, organizations concerned about this issue can:
elastic-endpoint-driver.sys as a possible indicator of driver instability or exploitation attempts.| Date (2025) | Event |
|---|---|
| Early May | Initial BSODs observed during EDR and injection testing in a research environment; crash triaged to elastic-endpoint-driver.sys. |
| Mid–Late May | Crash reliably reproduced; vulnerable function and unsafe free path (pointer in r15 into ExFreePoolWithTag) identified via WinDbg and static analysis. |
| June | Crashing function and data flow into r15 mapped; four-stage attack chain assembled in the lab to demonstrate end-to-end impact. |
| Date (2025) | Event |
|---|---|
| 2 June | Vulnerability formally scoped as a zero-day in Elastic's EDR driver in our internal notes. |
| 11 June | Initial report submitted via Elastic's bug bounty / triage channels (e.g., HackerOne). |
| 29 July | Follow-up report sent through a secondary program (e.g., ZDI) with additional details. |
| 16 August | Part 1 of the blog series published, disclosing the vulnerability and high-level attack chain: “Elastic EDR 0-day: Part 1 – Breaking a Microsoft-Signed EDR Driver”. |
| 17–19 August | Third-party coverage by security news outlets; Elastic issues a public statement disputing the RCE and EDR-bypass aspects while acknowledging the crash scenario. |
| 29 August |
Part 2 published: “Elastic EDR 0-day: Part 2 – Technical Details and the Trigger”, documenting the crashing function, the r15 pointer issue, and the technical trigger in greater depth.
|
Researcher: Pradheesh S
Organization: AshES Cybersecurity Pvt. Ltd.
Role: Founder & Lead Researcher
The proof-of-concept referenced in the blog series is an internal lab demonstration and is
not publicly released. The PoC uses a cooperating kernel driver that is loaded once from an
administrator context to reach the vulnerable code path inside
elastic-endpoint-driver.sys. This setup step is not part of the vulnerability itself.
The vulnerability originates from a pointer influenced by low-privilege user-mode memory being passed into
ExFreePoolWithTag without validation. This advisory does not claim a standalone
low-privilege to kernel privilege escalation exploit chain.
For verification, coordination, or further technical discussion regarding ASHES-2025-001:
Email: security@ashes-cybersecurity.com
Website: https://ashes-cybersecurity.com