CVE-2014-3120

HIGH KEV NUCLEI

Elasticsearch < 1.2 - Remote Code Execution via Dynamic Scripting

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-3120 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 7 public exploits from researchers including Metasploit, Jeff Geiger, echohtp, including a Metasploit module exploits/multi/elasticsearch/script_mvel_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-3120, a remote command execution vulnerability in ElasticSearch prior to 1.2.0. It leverages the REST API's dynamic script execution feature to run arbitrary Java code without authentication.

Description

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/33588

This Metasploit module exploits CVE-2014-3120, a remote command execution vulnerability in ElasticSearch prior to 1.2.0. It leverages the REST API's dynamic script execution feature to run arbitrary Java code without authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch < 1.2.0
No auth needed
Prerequisites: Network access to ElasticSearch REST API (port 9200 by default) · Dynamic scripting enabled in ElasticSearch
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jeff Geiger · htmlwebappsmultiple
https://www.exploit-db.com/exploits/33370

This HTML-based PoC exploits CVE-2014-3120 in Elasticsearch by leveraging dynamic script execution to read or append to arbitrary files on the target system. It uses Java-based scripts injected via the Elasticsearch API to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch (versions prior to 1.3.8 and 1.4.3)
No auth needed
Prerequisites: Elasticsearch instance with dynamic scripting enabled · Network access to the Elasticsearch REST API (default port 9200)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by echohtp · remote
https://github.com/echohtp/ElasticSearch-CVE-2014-3120

This repository contains a Python script that exploits CVE-2014-3120, a remote code execution vulnerability in ElasticSearch. The script checks a list of hosts for vulnerability by sending a crafted request that executes a command (uname -a) and checks the response for indicators of successful execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ElasticSearch (versions prior to 1.2.0)
No auth needed
Prerequisites: Network access to the ElasticSearch instance · ElasticSearch instance with dynamic scripting enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Dungsocool · remote
https://github.com/Dungsocool/CVE-2014-3120

This repository provides a detailed technical analysis of CVE-2014-3120, an RCE vulnerability in Elasticsearch 1.1.1 due to dynamic scripting with MVEL. It includes step-by-step exploitation, payload construction, and post-exploitation analysis.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Elasticsearch 1.1.1
No auth needed
Prerequisites: Elasticsearch 1.1.1 with dynamic scripting enabled · Network access to port 9200
devstral-2 · analyzed May 31, 2026 Full analysis →
nomisec WORKING POC
by xpgdgit · remote
https://github.com/xpgdgit/CVE-2014-3120

This PoC exploits CVE-2014-3120, a remote code execution vulnerability in Elasticsearch. It crafts a malicious JSON payload with a Groovy script to execute arbitrary commands via the `_search` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch (versions before 1.2.0)
No auth needed
Prerequisites: Network access to Elasticsearch instance · Groovy scripting enabled in Elasticsearch
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by jeffgeiger · poc
https://github.com/jeffgeiger/es_inject

This repository contains a README describing CVE-2014-3120, an Elasticsearch remote code execution vulnerability. It references an external blog post for technical details and credits the discoverer but does not include exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Elasticsearch (version not specified)
No auth needed
Prerequisites: Elasticsearch instance with vulnerable configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Alex Brasetvik, Bouke van der Bijl, juan vazquez · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb

This Metasploit module exploits CVE-2014-3120, a remote code execution vulnerability in ElasticSearch prior to 1.2.0, by leveraging dynamic script execution in the REST API to execute arbitrary Java code. It includes functionality to detect the target OS, write a malicious JAR file, and execute it.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch < 1.2.0
No auth needed
Prerequisites: Network access to ElasticSearch REST API (port 9200 by default) · Dynamic scripting enabled in ElasticSearch
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ElasticSearch v1.1.1/1.2 RCE
MEDIUMby pikpikcu
FOFA: index_not_found_exception

References (9)

Core 9
Core References
Vendor Advisory x_refsource_confirm
https://www.elastic.co/blog/logstash-1-4-3-released
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/33370
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/67731
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/106949
Exploit x_refsource_misc
http://bouk.co/blog/elasticsearch-rce/
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security/

Scores

CVSS v3 8.1
EPSS 0.8528
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-03-25
VulnCheck KEV 2022-03-25
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2022-5879
CWE
CWE-284
Status published
Products (3)
elastic/elasticsearch < 1.2.0
elasticsearch/elasticsearch < 1.2
org.elasticsearch/elasticsearch 0 - 1.4.0.Beta1Maven
Published Jul 28, 2014
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026