CVE-2015-5531

EXPLOITED NUCLEI LAB

Elasticsearch <1.6.1 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-5531 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Pedro Andujar, MoCh3n, xpgdgit, including a Metasploit module auxiliary/scanner/http/elasticsearch_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits a path traversal vulnerability in ElasticSearch (CVE-2015-5531) to read arbitrary files from the server. It leverages misconfigured snapshot repositories to bypass restrictions and retrieve file contents as byte arrays.

Description

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

Exploits (5)

exploitdb WORKING POC
by Pedro Andujar · pythonwebappslinux
https://www.exploit-db.com/exploits/38383

This PoC exploits a path traversal vulnerability in ElasticSearch (CVE-2015-5531) to read arbitrary files from the server. It leverages misconfigured snapshot repositories to bypass restrictions and retrieve file contents as byte arrays.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch 1.6.0 and prior
No auth needed
Prerequisites: path.repo must be set in elasticsearch.yml and writable by the ElasticSearch process
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by MoCh3n · poc
https://github.com/MoCh3n/CVE-2015-5531-POC

This PoC exploits a directory traversal vulnerability in Elasticsearch (CVE-2015-5531) by abusing the snapshot API to read arbitrary files. It sends crafted HTTP requests to traverse directories and decode the response to retrieve file contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Elasticsearch < 1.6.1
No auth needed
Prerequisites: Network access to Elasticsearch REST API · Snapshot API enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by xpgdgit · remote
https://github.com/xpgdgit/CVE-2015-5531

This PoC exploits CVE-2015-5531, a directory traversal vulnerability in Elasticsearch, to read arbitrary files on the target system. It leverages the snapshot API to traverse directories and retrieve file contents.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch (versions prior to 1.6.1 and 1.5.2)
No auth needed
Prerequisites: Network access to the Elasticsearch API · Snapshot API enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/r3naissance/eatt

This repository contains a functional Proof-of-Concept (PoC) exploit for CVE-2015-5531, which targets a vulnerability in the RDP service. The exploit demonstrates memory corruption via crafted packets, potentially leading to Remote Code Execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows RDP Service (affected versions include Windows 2003, XP, Vista, 7, Server 2008, and Server 2008 R2)
No auth needed
Prerequisites: Network access to the target RDP service · Python environment with required dependencies (e.g., impacket, OpenSSL)
devstral-2 · analyzed Feb 26, 2026 Full analysis →
metasploit WORKING POC
by Benjamin Smith · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/elasticsearch_traversal.rb

This Metasploit module exploits a directory traversal vulnerability in ElasticSearch's Snapshot API (CVE-2015-5531) to read arbitrary files with JVM process privileges. It checks for vulnerability and retrieves file contents via crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ElasticSearch (versions affected by CVE-2015-5531)
No auth needed
Prerequisites: Network access to ElasticSearch HTTP API (port 9200 by default) · Snapshot API enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ElasticSearch <1.6.1 - Local File Inclusion
MEDIUMby princechaddha
FOFA: index_not_found_exception

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/536017/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/75935
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38383/

Scores

EPSS 0.9203
EPSS Percentile 99.7%

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull java:8
+1 more repos

Details

VulnCheck KEV 2025-05-27
CWE
CWE-22
Status published
Products (2)
elasticsearch/elasticsearch < 1.6.0
org.elasticsearch/elasticsearch 0 - 1.6.1Maven
Published Aug 17, 2015
Tracked Since Feb 18, 2026