The default dynamic script feature of Elasticsearch cannot properly filter inputs submitted by users. Attackers can exploit this vulnerability to submit a specially crafted HTTP request and run arbitrary code with root privileges.
Attackers can use root privileges to run arbitrary commands, upload the Trojan program, and take control of the server.
How to fix
Upgrade Elasticsearch to the latest version.