logo

Port 9200 – Elasticsearch

Service:

elasticsearch

Protocol:

TCP

Port:

9200

Used for:

Search and analytics engine

Why It’s Open

Used in ELK stacks and dev pipelines for powerful search capabilities. Default open config exposes everything.

Common Risks

  • No Auth by Default
  • Data Exfiltration
  • Cluster Manipulation or Wipe

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if it’s open

Terminal window
nmap -p 9200 -sV

Curl check

Terminal window
curl http://:9200/


curl http://:9200/_cat/indices?v


curl http://:9200/_search?q=*

What to Look For

CheckpointWhat it means
Full access via HTTPLikely no auth
Exposed indicesData leaks

Known Exploits

  1. CVE-2015-3337 Elasticsearch before 1.6.0 and 1.7.x before 1.7.0 allows remote attackers to execute arbitrary commands via a crafted request.

🔗 NVD Entry

  1. CVE-2014-3120 Elasticsearch before 1.2.0 allows remote attackers to execute arbitrary commands via a crafted request.

🔗 NVD Entry

Mitigation

  • Use built-in security or reverse proxies.
  • Require authentication and TLS.
  • Limit to internal access only.

Real-World Example

Tens of thousands of open Elasticsearch clusters have leaked PII, medical records, and more due to default settings.

TL;DR

  • Service: Elasticsearch (Search engine)
  • Default Port: 9200
  • Risks: Remote code execution, data leakage
  • Mitigation: Restrict access, enable authentication, keep software updated