rce
Safeguard articles tagged "rce" — guides, analysis, and best practices for software supply chain and application security.
80 articles
Inside the Qinglong Scheduler RCE: How Two Auth Bugs Became a Cryptomining Campaign
Two chainable auth-bypass bugs in the Qinglong task scheduler let attackers skip login entirely and mine crypto on victim CPUs — in the wild before a patch existed.
Why Node.js's vm module is not a security sandbox
Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.
Java deserialization gadget chains explained
One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.
CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration
A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.
Insecure Deserialization in .NET: BinaryFormatter and Beyond
Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.
Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices
CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.
PHP-CGI Argument Injection RCE on Windows (CVE-2024-4577) Explained
CVE-2024-4577 revived a decade-old PHP-CGI flaw through a Windows Unicode 'best-fit' quirk, yielding unauthenticated RCE. Here's the mechanism and the patched versions.
CVE-2022-1471: Inside the SnakeYaml Deserialization RCE
CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.
How task-scheduler RCEs become cryptomining botnets
Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.
regreSSHion (CVE-2024-6387) Explained: A Signal-Handler Race That Reopened an Old OpenSSH RCE
CVE-2024-6387, regreSSHion, is an unauthenticated remote code execution flaw in OpenSSH's sshd caused by a signal-handler race — a regression of a bug fixed back in 2006.
Text4Shell (CVE-2022-42889) Explained: RCE in Apache Commons Text Interpolation
CVE-2022-42889, Text4Shell, let attackers run code through Apache Commons Text's string interpolation when apps passed untrusted input to StringSubstitutor. Here is the flaw and why it was narrower than feared.
Apache Struts and the recurring pattern of path-traversal and RCE bugs
Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.