Cyber Resilience

CVE-2015-1427

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 February 2015

Published
17 February 2015
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9233 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-1427 is a critical-severity an unspecified weakness vulnerability in Elastic Elasticsearch. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a sandbox escape in the Groovy scripting engine used by Elasticsearch. It affects all versions prior to 1.3.8 and 1.4.x prior to 1.4.3, allowing a crafted script to bypass the intended protection mechanism and execute arbitrary shell commands on the underlying operating system. The issue carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

Remote, unauthenticated attackers can submit malicious Groovy scripts through Elasticsearch’s search or scripting APIs. Successful exploitation grants the attacker the ability to run operating-system commands with the privileges of the Elasticsearch process, resulting in full confidentiality, integrity, and availability impact on the affected node and potentially the cluster.

The official Elasticsearch announcement for versions 1.3.8 and 1.4.3 states that the releases address the Groovy sandbox bypass. Public exploit code demonstrating unauthenticated remote command execution against the vulnerable versions has been published on Packet Storm and discussed in SecurityFocus archives, confirming that the flaw was weaponized shortly after disclosure.

EU & UK References

Vulnerability details

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

elastic
elasticsearch
≤ 1.3.8 · 1.4.0 — 1.4.3
redhat
fuse
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that closes the Groovy sandbox bypass in Elasticsearch 1.3.8/1.4.3.

prevent

Requires disabling or restricting the Groovy scripting engine feature that the CVE exploits to achieve remote code execution.

SC-18 Mobile Code partial match
prevent

Mandates authorization and control of mobile code (Groovy scripts) submitted through the search/scripting APIs.

References