CVE-2014-3120
published 2014-07-28CVE-2014-3120: The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java…
PriorityP189high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
88.56%
99.8th percentile
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | < 1.2.0 | 1.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
33830
snort↗
36256
snort↗
44690
- →Exploit payloads use java.lang.Runtime.exec() via script_fields to invoke wget and download shell scripts to /tmp, detectable by inspecting POST bodies to /_search for Runtime.exec patterns. ↗
- →Malware payloads delivered via CVE-2014-3120 include variants of the Bill Gates DDoS malware and Spike trojan variants (x86, MIPS, ARM); ClamAV detects hosted files as Spike trojan variants. ↗
- →Attackers use 'whoami' and 'id' commands via the exploit for server fingerprinting; monitor Elasticsearch logs for these OS command strings in script execution contexts. ↗
- →Persistence is achieved by installing shell scripts as cron jobs; monitor crontab modifications on systems running Elasticsearch. ↗
- →Attacker RSA key is placed in authorized_keys file; monitor for unauthorized modifications to ~/.ssh/authorized_keys on Elasticsearch hosts. ↗
- →Delivered ELF payloads are UPX-packed; scan for UPX-packed ELF binaries dropped in /tmp or other world-writable directories on Elasticsearch hosts. ↗
- →Use Snort rules 33830, 36256, and 44690 to detect CVE-2014-3120 exploitation attempts in network traffic. ↗
- ·CVE-2014-3120 only affects Elasticsearch versions prior to 1.2, where dynamic scripting is enabled by default. Systems running Elasticsearch 1.2+ or with scripting disabled are not vulnerable. ↗
- ·The vulnerability only violates the vendor's intended security policy if Elasticsearch is not run in its own independent virtual machine. ↗
- ·Active exploitation observed only against Elasticsearch versions 1.4.2 and lower; clusters running modern versions are unaffected. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Elasticsearch Improper Access Control vulnerability
ghsa·2022-05-17
CVE-2014-3120 [HIGH] CWE-284 Elasticsearch Improper Access Control vulnerability
Elasticsearch Improper Access Control vulnerability
The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
OSV
Elasticsearch Improper Access Control vulnerability
osv·2022-05-17
CVE-2014-3120 [HIGH] Elasticsearch Improper Access Control vulnerability
Elasticsearch Improper Access Control vulnerability
The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
VulnCheck
Elasticsearch Remote Code Execution Vulnerability
vulncheck·2014·CVSS 8.1
CVE-2014-3120 [HIGH] CWE-284 Elasticsearch Remote Code Execution Vulnerability
Elasticsearch Remote Code Execution Vulnerability
Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.
Affected: Elastic Elasticsearch
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2014-3120; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-07&host_type=src&vulnerability=cve-2014-3120; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-17&host_type=src&vulnerability=cve-2014-3120; https://dashboard.shadowserv
CISA
Elasticsearch Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 8.1
CVE-2014-3120 [HIGH] CWE-284 Elasticsearch Remote Code Execution Vulnerability
Vulnerability: Elasticsearch Remote Code Execution Vulnerability
Affected: Elastic Elasticsearch
Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-3120
Remediation Due Date: 2022-04-15
Red Hat
elasticsearch: remote code execution flaw via dynamic scripting
vendor_redhat·2013-12-09·CVSS 8.1
CVE-2014-3120 [HIGH] CWE-749 elasticsearch: remote code execution flaw via dynamic scripting
elasticsearch: remote code execution flaw via dynamic scripting
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.
Statement: On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an att
Suricata
ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt
suricata·2014-05-21·CVSS 8.1
CVE-2014-3120 [HIGH] ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt
ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, cve CVE_2014_3120, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Exploit-DB
ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)
exploitdb·2014-05-30
CVE-2014-3120 ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)
ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ElasticSearch Dynamic Script Arbitrary Java Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
REST API, which requires no authentication or authorization, where the search
function allows dynamic scripts execution, and can be used for remote attackers
to execute arbitrary Java code. This module has been tested successfully on
ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
},
'Author' =>
Exploit-DB
ElasticSearch - Remote Code Execution
exploitdb·2014-05-15·CVSS 8.1
CVE-2014-3120 [HIGH] ElasticSearch - Remote Code Execution
ElasticSearch - Remote Code Execution
---
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: center;
}
function es_inject() {
var read_file;
var write_file;
read_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"" + filename + "\")).useDelimiter(\"\\\\Z\").next();");
};
write_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"" + filename + "\", true)));\nwriter.println(\"" + document.getElementById("element_2").value + "\");\nwriter.close();");
};
$(function() {
var payload, filename, files, host, _i, _len;
files = [document.getElementById("element_3").value];
payload = {
"size": 1,
"query": {
"filtered":
Nuclei
Cisco Unified Communications Manager 7/8/9 - Directory Traversal
nuclei·CVSS 4.0
CVE-2013-5528 [MEDIUM] Cisco Unified Communications Manager 7/8/9 - Directory Traversal
Cisco Unified Communications Manager 7/8/9 - Directory Traversal
A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815
Template:
id: CVE-2013-5528
info:
name: Cisco Unified Communications Manager 7/8/9 - Directory Traversal
author: daffainfo
severity: medium
description: A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815
impact: |
Successful exploitation of this vulner
Metasploit
ElasticSearch Dynamic Script Arbitrary Java Execution
metasploit
ElasticSearch Dynamic Script Arbitrary Java Execution
ElasticSearch Dynamic Script Arbitrary Java Execution
This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts execution. It can be used for remote attackers to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
Nuclei
ElasticSearch v1.1.1/1.2 RCE
nuclei·CVSS 8.1
CVE-2014-3120 [HIGH] ElasticSearch v1.1.1/1.2 RCE
ElasticSearch v1.1.1/1.2 RCE
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Template:
id: CVE-2014-3120
info:
name: ElasticSearch v1.1.1/1.2 RCE
author: pikpikcu
severity: medium
description: |
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor's intended security policy if the user does not run Elasticsearch
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Unit42
WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
blogs_unit42·2021-02-17
WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
## Executive Summary
Unit 42 researchers are exposing one of the largest and longest-lasting Monero cryptojacking operations known to exist. The operation is called WatchDog, taken from the name of a Linux daemon called watchdogd. The WatchDog mining operation has been running since Jan. 27, 2019, and has collected at least 209 Monero (XMR), valued to be around $32,056 USD. Researchers have determined that at least 476 compromised systems, composed primarily of Windows and NIX cloud instances, have been performing mining operations at any one time for over two years.
Cryptojacking is the process of performing cryptomining operations on systems which are not owned and maintained by the mining operators. Malicious cryptojacking operations are currently estimated to affect 23% of cloud envi
Unit42
WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
blogs_unit42·2021-02-17
WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
Nathaniel Quist
Published: February 17, 2021
Cloud Cybersecurity Research
Malware
Threat Research
Cryptojacking
GoLang
Monero
XMRig
## Executive Summary
Unit 42 researchers are exposing one of the largest and longest-lasting Monero cryptojacking operations known to exist. The operation is called WatchDog, taken from the name of a Linux daemon called watchdogd . The WatchDog mining operation has been running since Jan. 27, 2019, and has collected at least 209 Monero (XMR), valued to be around $32,056 USD. Researchers have determined that at least 476 compromised systems, composed primarily of Windows and NIX cloud instances, have
Talos
Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
blogs_talos·2019-02-26·CVSS 8.1
[HIGH] Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
## Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
Christopher Evans of Cisco Talos conducted the research for this post.
## EXECUTIVE SUMMARY
Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to ma
Talos
Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
blogs_talos·2019-02-26·CVSS 8.1
[HIGH] Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
Christopher Evans of Cisco Talos conducted the research for this post.
## EXECUTIVE SUMMARY
Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster coul
Tenable
Patched Elasticsearch Vulnerabilities Used to Spread Cryptocurrency Miner (CVE-2014-3120, CVE-2015-1427)
blogs_tenable·2018-12-13·CVSS 8.1
CVE-2014-3120 [HIGH] Patched Elasticsearch Vulnerabilities Used to Spread Cryptocurrency Miner (CVE-2014-3120, CVE-2015-1427)
Blog / Cyber Exposure Alerts
Subscribe
# Patched Elasticsearch Vulnerabilities Used to Spread Cryptocurrency Miner (CVE-2014-3120, CVE-2015-1427)
Satnam Narang
December 13, 2018
2 Min Read
Attackers are actively scanning for vulnerable Elasticsearch systems in order to implant cryptocurrency mining scripts.
### Background
In recent weeks, attackers have been observed scanning for vulnerabilities in Elasticsearch, a distributed, RESTful search and analytics engine. According to research from Trend Micro, the attackers are targeting unpatched Elasticsearch systems using vulnerabilities from 2014 and 2015 to break into systems in order to implant cryptocurrency mining (also known as “coinminer”) scripts. These scripts are designed to hijack a system’s computing resources in a race to s
Tenable
Patched Elasticsearch Vulnerabilities Used to Spread Cryptocurrency Miner (CVE-2014-3120, CVE-2015-1427)
blogs_tenable·2018-12-13·CVSS 8.1
[HIGH] Patched Elasticsearch Vulnerabilities Used to Spread Cryptocurrency Miner (CVE-2014-3120, CVE-2015-1427)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass
bugzilla·2015-02-12·CVSS 8.1
CVE-2015-1427 [HIGH] CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass
CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass
It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
Upstream bug report:
https://github.com/elasticsearch/elasticsearch/issues/9655
Upstream fixes:
1.3: https://github.com/elasticsearch/elasticsearch/commit/69735b0f4ab9ad7df4b82e8c917589b52cb9978c
1.4: https://github.com/elasticsearch/elasticsearch/commit/4e952b2d75de6ca4caf4b6743462714f3b60d07f
1.x: https://github.com/elasticsearch/elasticsearch/commit/716f0b24dc5414616e8dc0590dbfcfa0081be892
Mitigation:
Users can address the v
Bugzilla
CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
bugzilla·2014-07-29·CVSS 8.1
CVE-2014-3120 [HIGH] CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3120 to
the following vulnerability:
Name: CVE-2014-3120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
Assigned: 20140429
Reference: EXPLOIT-DB:33370
Reference: http://www.exploit-db.com/exploits/33370
Reference: http://bouk.co/blog/elasticsearch-rce/
Reference: http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
Reference: https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
Reference: http://www.securityfocus.com/bid/67731
Reference: OSVDB:106949
Reference: http://www.osvdb.org/106949
The default configuration in Elasticsearch before 1.2 enables
arXiv
PTHelper: An open source tool to support the Penetration Testing process
arxiv_fulltext·2024-06-12
PTHelper: An open source tool to support the Penetration Testing process
## Abstract
Offensive security is one of the state of the art measures to protect enterprises and organizations. Penetration testing, broadly called pentesting, is a branch of offensive security designed to find, rate and exploit these vulnerabilities, in order to assess the security posture of an organization. This process is often time-consuming and the quantity of information that pentesters need to manage might also be difficult to handle. This project takes a practical approach to solve the automation of pentesting and proposes a usable tool, called PTHelper. This open-source tool has been designed in a modular way to be easily upgradable by the pentesting community, and uses state of the art tools and artificial intelligence to achieve its objective.
Offensive security penetration
http://bouk.co/blog/elasticsearch-rce/http://www.exploit-db.com/exploits/33370http://www.osvdb.org/106949http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rcehttp://www.securityfocus.com/bid/67731https://www.elastic.co/blog/logstash-1-4-3-releasedhttps://www.elastic.co/community/security/https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearchhttp://bouk.co/blog/elasticsearch-rce/http://www.exploit-db.com/exploits/33370http://www.osvdb.org/106949http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rcehttp://www.securityfocus.com/bid/67731https://www.elastic.co/blog/logstash-1-4-3-releasedhttps://www.elastic.co/community/security/https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearchhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-3120
2014-07-28
Published
2022-03-25
Added to CISA KEV
Exploited in the wild