CyberLeveling Logo
Elasticsearch Exposure Across the EU

Elasticsearch Exposure Across the EU: A Snapshot from Shodan Data

March 06, 2026

Elasticsearch is a powerful search and analytics engine used in logging platforms, SIEM systems, observability stacks, SaaS applications, and internal search backends.

It was never meant to be wide open to the internet.

Yet visibility data shows tens of thousands of services responding on port 9200 across the 27 EU member states.

This is not a vulnerability scan. It is a snapshot of what is publicly reachable.

Methodology

Scope: 27 European Union member states

AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE

Query focus:

  • Services responding on port 9200, typically associated with Elasticsearch.

It is important to note:

  • Not every service on port 9200 is Elasticsearch
  • Some are proxies, dashboards, honeypots, or unrelated HTTP services
  • Fingerprinting is based on Shodan visibility

The results below reflect observable exposure, not confirmed configuration state.

Total Port 9200 Exposure in the EU

Total services responding on port 9200: 42,314

That represents a significant number of systems potentially exposing search backends, logging clusters, or internal data stores directly to the internet.

CountryInstances
Germany (DE)13,459
Netherlands (NL)7,921
France (FR)7,838
Spain (ES)1,955
Italy (IT)1,659
Poland (PL)1,560
Finland (FI)1,542
Sweden (SE)1,466
Czechia (CZ)1,153
Ireland (IE)574
Romania (RO)521
Portugal (PT)477
Belgium (BE)362
Austria (AT)351
Hungary (HU)304
Bulgaria (BG)192
Greece (GR)174
Denmark (DK)161
Latvia (LV)116
Cyprus (CY)95
Lithuania (LT)94
Croatia (HR)76
Slovenia (SI)75
Slovakia (SK)72
Estonia (EE)66
Luxembourg (LU)32
Malta (MT)19

Germany, the Netherlands, and France account for the majority of visible exposure. This mirrors hosting density and cloud adoption patterns across the EU.

What Is Actually Running on Port 9200?

Fingerprinting results show a diverse ecosystem behind port 9200.

ProductInstances
nginx8,613
Elastic3,683
Prometheus Node Exporter557
Elastichoney534
Hikvision IP Camera166
Microsoft IIS httpd133
Jetty97
Plex Media Server85
Home Assistant61

A few things stand out:

  • Not everything on 9200 is Elasticsearch
  • A significant number are reverse proxies such as nginx
  • There are honeypots like Elastichoney and Glastopf present
  • Some embedded and IoT devices expose services on this port

This reinforces an important point: port-based analysis gives us visibility, not certainty.

Why Elasticsearch Exposure Matters

Historically, exposed Elasticsearch clusters have led to:

  • Massive data leaks
  • Publicly accessible log archives
  • Personally identifiable information exposure
  • Ransomware campaigns that wiped indices and left ransom notes

Earlier versions of Elasticsearch shipped without authentication enabled by default. Many administrators assumed that network segmentation would protect the cluster.

When that segmentation failed, entire datasets became queryable with a simple HTTP request.

From a Pentester Perspective

When we encounter an exposed Elasticsearch instance, we immediately test:

  • Is authentication required?
  • Is TLS enforced?
  • Can we enumerate indices?
  • Can we query documents?
  • Can we create or delete indices?
  • Is the version supported?

If the cluster allows unauthenticated access to data, this is typically a Critical finding.

Elasticsearch often contains high-value assets such as API tokens, internal service credentials, user metadata, and security telemetry. Compromise here is a direct path into the rest of the infrastructure.

Elasticsearch Hardening Checklist

1. Do Not Expose It Directly

  • Place Elasticsearch in a private subnet
  • Restrict access to internal services
  • Access via VPN or bastion host only

2. Enable Authentication

  • Enable xpack security
  • Require authentication for all API calls
  • Disable anonymous access

3. Enforce TLS Everywhere

  • Enable HTTPS and use valid certificates
  • Disable plaintext HTTP access

4. Restrict Network Access

  • Allow inbound traffic only from known IP ranges
  • Use firewall allowlists
  • Block global access

5. Disable Dangerous APIs

  • Restrict index deletion permissions
  • Disable scripting if not required
  • Limit snapshot repository access

6. Keep It Updated

  • Run supported Elastic versions
  • Patch known CVEs promptly

Part of the EU Exposure Series

Explore our other research on protocol exposure across the 27 EU member states:

MongoDB Exposure Across the EU: A Snapshot from Shodan DataRedis Exposure Across the EU: A Snapshot from Shodan DataElasticsearch Exposure Across the EU: A Snapshot from Shodan DataMySQL Exposure on the Internet: A Global Snapshot from Shodan DataPostgreSQL Exposure Across the EU: A Snapshot from Shodan DataRDP Exposure Across the EU: A Snapshot from Shodan DataSMB Exposure Across the EU: A Service That Should Never Be PublicTelnet Exposure Across the EU: A Legacy Protocol That Refuses to DieFTP Exposure Across the EU: A Snapshot from Shodan Data

Final Thoughts

42,314 services responding on port 9200 across the EU is not a small footprint. Elasticsearch is a powerful and flexible system. It is secure when properly configured.

The risk appears when it is directly reachable from the internet, authentication is missing, or versions remain unpatched.