CVE-2024-52975

Critical

Published: 23 January 2025

Published

23 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0034 57.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52975 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Elastic (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-9 (Protection of Audit Information).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-11 Error Handling good match

prevent

Prevents the exposure of sensitive information in ERROR log messages generated by Fleet Server by ensuring error handling does not reveal undue details.

AU-9 Protection of Audit Information good match

prevent

Protects Fleet Server logs containing sensitive policy information from unauthorized access, modification, or deletion by low-privilege adjacent attackers.

AU-13 Monitoring for Information Disclosure good match

detect

Monitors Fleet Server and its logs for indicators of unauthorized disclosure of sensitive information to unauthorized actors.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability exposes sensitive policy data (incl. credentials) in accessible logs, directly enabling local data collection and unsecured credential access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled.

Deeper analysisAI

CVE-2024-52975 is a vulnerability in Fleet Server, part of the Elastic Stack, where Fleet policies containing sensitive information are logged at INFO and ERROR log levels. The nature of the sensitive information varies based on enabled integrations. This issue corresponds to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and was published on 2025-01-23 with a CVSS v3.1 base score of 9.0 (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker with low privileges (PR:L) and adjacent network access (AV:A) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Exploitation involves accessing the logs to retrieve sensitive data from Fleet policies, potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) due to the changed scope (S:C).

Elastic Security Advisory ESA-2024-31 addresses this issue via a security update for Fleet Server 8.15.0. Security practitioners should consult the advisory at https://discuss.elastic.co/t/fleet-server-8-15-0-security-update-esa-2024-31/373522 for detailed mitigation steps and patching guidance.