CVE-2015-1427

CRITICAL KEV RANSOMWARE NUCLEI LAB

Elasticsearch <1.3.8, <1.4.3 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-1427 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including Metasploit, Xiphos Research Ltd, t0kx, including a Metasploit module exploits/multi/elasticsearch/search_groovy_script. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-1427, a remote command execution vulnerability in ElasticSearch prior to 1.4.3. It bypasses the Groovy sandbox via Java class reflection to execute arbitrary code, leveraging the REST API without authentication.

Description

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/36415

This Metasploit module exploits CVE-2015-1427, a remote command execution vulnerability in ElasticSearch prior to 1.4.3. It bypasses the Groovy sandbox via Java class reflection to execute arbitrary code, leveraging the REST API without authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch < 1.4.3
No auth needed
Prerequisites: Network access to ElasticSearch REST API (port 9200 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Xiphos Research Ltd · pythonremotelinux
https://www.exploit-db.com/exploits/36337

This exploit leverages CVE-2015-1427, a remote code execution vulnerability in ElasticSearch, by sending a crafted JSON payload to execute arbitrary commands via Java's Runtime.exec(). The script provides a semi-interactive shell for command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ElasticSearch (versions prior to 1.4.3 and 1.5.0)
No auth needed
Prerequisites: Network access to ElasticSearch port 9200 · ElasticSearch with dynamic scripting enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 32 stars
by t0kx · remote
https://github.com/t0kx/exploit-CVE-2015-1427

This repository contains a functional exploit for CVE-2015-1427, targeting Elasticsearch versions 1.4.0 to 1.4.2. The exploit leverages a Groovy sandbox bypass via the REST API to achieve remote code execution (RCE) without authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch 1.4.0 < 1.4.2
No auth needed
Prerequisites: Network access to the Elasticsearch REST API (port 9200 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Sebikea · poc
https://github.com/Sebikea/CVE-2015-1427-for-trixie

The provided script is a minimal setup script for Elasticsearch, lacking any exploit code or vulnerability demonstration for CVE-2015-1427. It merely starts Elasticsearch and tails its log file.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Elasticsearch (version unspecified)
No auth needed
Prerequisites: Elasticsearch installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by xpgdgit · remote
https://github.com/xpgdgit/CVE-2015-1427

This is a functional exploit for CVE-2015-1427, an Elasticsearch remote code execution vulnerability via Groovy scripting. It sends a crafted POST request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch (versions with Groovy scripting enabled)
No auth needed
Prerequisites: Network access to Elasticsearch instance · Groovy scripting enabled on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2015-1427

This repository contains a Docker-based PoC for CVE-2015-1427, an Elasticsearch Groovy scripting vulnerability. The script sets up a vulnerable Elasticsearch instance and demonstrates the exploit by sending a malicious request.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch < 1.3.8, < 1.4.3
No auth needed
Prerequisites: Docker environment · Network access to target Elasticsearch instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cyberharsh · poc
https://github.com/cyberharsh/Groovy-scripting-engine-CVE-2015-1427

This repository provides a proof-of-concept for CVE-2015-1427, a Groovy sandbox bypass and remote code execution vulnerability in ElasticSearch. It includes two methods for exploiting the vulnerability: Java reflection to bypass the sandbox and direct Groovy command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ElasticSearch v1.4.2
No auth needed
Prerequisites: ElasticSearch with Groovy scripting enabled · Network access to the ElasticSearch instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Cameron Morris, Darren Martyn, juan vazquez · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/elasticsearch/search_groovy_script.rb

This Metasploit module exploits CVE-2015-1427, a remote command execution vulnerability in ElasticSearch prior to 1.4.3. It bypasses the Groovy sandbox via Java class reflection to execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch < 1.4.3
No auth needed
Prerequisites: Network access to ElasticSearch REST API (port 9200 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ElasticSearch - Remote Code Execution
HIGHby pikpikcu
FOFA: index_not_found_exception

References (9)

Core 9
Core References
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534689/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0868
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72585
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/100850
Not Applicable, Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security/

Scores

CVSS v3 9.8
EPSS 0.9233
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/elasticsearch:1.4.2
+3 more repos

Details

CISA KEV 2022-03-25
VulnCheck KEV 2019-04-09
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2022-5539
Ransomware Use Confirmed
Status published
Products (3)
elastic/elasticsearch < 1.3.8
org.elasticsearch/elasticsearch 0 - 1.3.8Maven
redhat/fuse 1.0.0
Published Feb 17, 2015
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026