Exploitation for Priv-Esc × Elastic Agent

A publicly-reported instance of Exploitation for Priv-Esc bypassing Elastic Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic Agent

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

unknown

Disclosed

2026-03-18

Config / version noted

Not stated

Provenance

www.tenable.com
disclosed 2026-03-18 · original source · via exa

Reported as

Defeats the integrity of the Elastic Agent security tool.

Mechanism

Local attacker with low privileges injects parameters into the osqueryd subprocess of Elastic Agent by modifying osqueryd configurations, leading to arbitrary code execution. Defeats the integrity of the Elastic Agent security tool.

Detection & mitigation

Monitor for unexpected modifications to Elastic Agent osqueryd configuration files (e.g., osquery.flags, osquery.conf) by non-administrative users. Mitigate by applying the vendor patch for CVE-2024-52976 and enforcing strict file permissions to prevent unauthorized writes.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.