17.03.2021 Mining Botnet Spreads Via 2015 Vulnerabilities in ElasticSearch and Jenkins

by Elena Lapina

Security researchers report on a malicious campaign spreading via 6-year old remote command execution (RCE) vulnerabilities in ElasticSearch and Jenkins.


  • The first flaw, tracked as CVE-2015-1427, is an RCE in Groovy scripting engine affecting ElasticSearch before 1.3.8 and 1.4.x before 1.4.3.
  • The second flaw is a Jenkins script console RCE vulnerability. The CVE was misidentified in the campaign report, but is likely a CVE-2015-8103┬áin Jenkins before 1.638 and LTS before 1.625.2.
  • Groovy, a scripting language used by default in Elasticsearch versions prior to 2.x and multiple Jenkins versions, enables dynamic scripting which makes default installations in older versions unsecure.

Why it’s important

  • Threat actors often take advantage of open-source installation used in victim environment as these tools often get overlooked by IT teams and often stay unpatched.
  • Use the latest version of ElasticSearch and Jenkins and follow vendor best practices for securely configuring your installations.
  • Ensure your ElasticSearch and Jenkins are not default installations and do not allow users to access the data over the internet.


References ElasticSearch, Jenkins, NetLab360


Request Demo

Fill out the form and we will send you details about our demo.