The Cloud Security Self-Assessment

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

RCE meaning: Remote code execution attacks explained

Remote code execution refers to a security vulnerability through which malicious actors can remotely run code on your systems or servers.

Wiz Experts Team
7 minute read
Main takeaways from Remote Code Execution:
  • RCE attacks occur when attackers exploit vulnerabilities to run malicious code remotely on a target system, allowing them to steal data, install malware, or escalate privileges.

  • Common attack vectors include web application vulnerabilities, unpatched software, and supply chain exploits.

  • Methods used for RCE attacks involve delivering malicious payloads via user input, network protocols, or manipulated data.

  • Attackers may exploit RCE to escalate privileges, deploy malware, launch DoS attacks, or take control of servers.

  • Mitigations include secure coding practices, regular updates, input validation, least-privilege access, and continuous security testing.

What is a remote code execution (RCE) attack? 

A Remote Code Execution (RCE) attack occurs when malicious actors exploit security vulnerabilities to gain unauthorized access and remotely execute code on your systems or servers. This enables attackers to take full control, steal data, install malware, or use the system to launch further attacks.

RCE vulnerabilities are particularly dangerous because they allow attackers to compromise systems without requiring authentication or user interaction, making them a critical security risk for organizations. These attacks can lead to severe consequences, including data breaches and system exploitation.

Malicious code in RCE explained

RCE attacks inject malicious code into target systems to gain unauthorized access, steal data, or disrupt services. Malicious code includes various types of software designed for harmful actions:

  • Viruses: Attach to files and spread to others

  • Worms: Self-replicating, spread without host files

  • Trojans: Disguise themselves as legitimate files

  • Spyware: Collects data from target systems

  • Adware: Displays unwanted ads and collects sensitive data

  • Keyloggers: Capture keystrokes to steal sensitive information

  • Rootkits: Provide attackers with administrative control

  • Ransomware: Encrypts files for extortion

  • Wipers: Erase data

Malicious code can be delivered through email attachments, compromised websites, fake software sharing sites, and fraudulent apps. RCE attacks typically unfold in stages:

  1. Initial Access: Attackers use social engineering or malware to breach the system.

  2. Establish Persistence: They maintain access by creating accounts or deploying backdoors.

  3. Privilege Escalation: Attackers gain more control, bypass security measures, and search for sensitive data.

  4. Exploitation: Attackers carry out their objectives, such as stealing data, launching ransomware, or spreading the attack further.

Building defenses against malicious code requires proactive security measures at every stage to prevent, detect, and respond to RCE threats.

How does an RCE attack work?

In an RCE attack, malicious payloads are often delivered through user input fields, network protocols, or manipulated data formats. For example, an attacker might inject malicious code into a web application's input form, which, if not properly validated, could execute on the server side.

Once injected, the malicious code runs with the same privileges as the compromised application or user. If the vulnerable application has elevated privileges, such as admin rights, the attacker gains those same privileges, leading to further exploitation.

The success of an RCE attack depends on the vulnerability's strength, the attacker's skill, and the payload's effectiveness. 

The goals of RCE attacks

The main objective of remote code execution attacks is to undermine the targeted system's confidentiality, integrity, and availability. Hackers may execute code to steal sensitive data, including PII, intellectual property, or financial data, resulting in data breaches and reputational damage.

So what exactly are hackers leveraging RCE seeking to do?

GoalDescription
Escalate privilegesOnce an attacker successfully executes their code, they can pursue various malicious objectives, e.g., attempt to escalate their privileges and gain administrative rights to take full control of the compromised system. With elevated privileges, attackers can access sensitive files, modify system configurations, or disable security controls.
Deploy malwareHackers can further exploit RCE vulnerabilities to deploy malware, including spyware, ransomware, and Trojans. Malware can encrypt critical data, spy on user activities, or create backdoors for persistent access. Attackers may use the compromised system as a launching pad to spread malware laterally across the network, infecting other vulnerable systems.
Perform DoS attacksIn some cases, malicious actors may launch denial-of-service (DoS) attacks. By consuming system resources or crashing applications, they can disrupt the availability of critical services, causing operational downtime and financial losses.
Server takeoverSome RCE attacks seek to take over target servers by creating a persistent backdoor that allows unauthorized access to the system. For example, an attacker may exploit applications that dynamically reference external scripts by tricking them into downloading a trojan containing a backdoor. Once installed, the backdoor allows the attacker to access the system at will and escalate their attack.

RCE attacks can result in a company facing severe reputational damage and be a major blow to customer trust. Data breaches due to RCE vulnerabilities can lead to the exposure of sensitive customer information, meaning possible legal and regulatory repercussions, financial penalties, and damage to your brand image.

Common attack vectors for RCE

The most common attack vectors for RCE attacks include web application vulnerabilities, unpatched and misconfigured software, and supply chain and dependency exploits.

Web application vulnerabilities

Web-based applications may contain flaws that enable several types of RCE attack methods:

  • SQL injection: Manipulating input fields to expose sensitive data or modify databases.

  • Cross-site scripting (XSS): Injecting malicious scripts to steal cookies or execute code in users’ browsers.

  • Insecure APIs: Exposing systems to RCE by lacking proper authentication or request validation.

  • File deserialization vulnerabilities: Exploiting improper deserialization of input to execute malicious code in the application.

Unpatched software and misconfigurations

Outdated software and misconfigured servers increase RCE risks. For example, vulnerabilities like the one in Apache Log4j allow arbitrary code execution via the logging function. Servers with open ports or weak authentication can also be vulnerable.

Supply chain attacks and dependency exploits

Attackers may inject malicious code into third-party libraries, frameworks, or packages. Malicious open-source libraries disguised as legitimate software can trick users into installing malware, especially if the software is outdated or unverified.

  • CI/CD pipeline abuse: Exploiting trusted relationships in automated software development pipelines can introduce RCE vulnerabilities, especially when attackers target build processes or updates.

Containers and microservices

Misconfigurations in containerized environments like Kubernetes can open the door for RCE attacks. Containers that fail to properly isolate processes or have shared vulnerable dependencies are especially at risk.

Insecure webhooks

Improperly authenticated or unsanitized webhooks can also be exploited for RCE, providing attackers with a way to inject malicious code into systems through remote triggers.

Best practices for mitigating and detecting RCE attacks

To effectively mitigate and detect RCE attacks, organizations will need to adopt the following best practices.

Use secure coding practices

  • Implement input validation and sanitization to block malicious code injections.

  • Avoid dangerous functions like eval() and exec() that allow arbitrary code execution.

  • Enable buffer overflow protection with languages that offer built-in safeguards (e.g. stack canaries).

  • Use static and dynamic code analysis tools to detect arbitrary code execution vulnerabilities.

Strengthen web application security measures

  • Deploy web application firewalls (WAFs) to monitor and filter traffic through web applications and detect and block RCE attempts.

  • Apply a Content Security Policy (CSP) to restrict site code functionality and prevent script-based attacks.

Regularly update the OS and dependencies 

  • Keep operating systems, applications, and libraries up to date with security patches.

  • Prioritize patching based on risk level and potential impact.

Implement strict input validation and sanitization 

  • Check and sanitize all input from users to avoid cross-site scripting (XSS), SQL injection, and other attacks.

  • Adopt secure programming techniques, e.g., validating inputs, encoding outputs, and utilizing parameterized queries, to lower the chances of vulnerabilities due to malicious code injection.

  • Use well-established libraries and frameworks that provide built-in input validation and sanitization mechanisms.

Network segmentation and isolation

  • Segment networks to isolate critical systems and limit lateral movement within the environment.

  • Limit user and application permissions to only what's necessary.

  • Regularly review and update access controls to reduce exposure of critical systems and data.

Security monitoring and logging

  • Ensure comprehensive logging of critical activities across systems, and set up alerts for suspicious actions

  • Use intrusion detection and prevention systems (IDPS) to monitor network traffic for potential RCE attempts.

  • Monitor endpoints for signs of malicious activity, like unauthorized process execution or unusual network connections.

Practice continuous vulnerability assessments and penetration testing 

  • Perform vulnerability assessments on a regular basis to uncover weaknesses in your systems and apps.

  • Prioritize identified vulnerabilities for remediation depending on how serious a threat they pose to your organization.

Adopting these best practices and taking a proactive approach to security can significantly diminish an organization's risk of falling prey to remote code execution (RCE) attacks and minimize the potential impact of successful intrusions. 

Security is an ongoing endeavor, and organizations must continuously monitor, assess, and adapt their security measures to keep pace with the ever-evolving threat landscape.

Real-world impacts of RCE vulnerabilities and attacks

RCE vulnerabilities can appear in a wide range of software and systems. The potential uses of an RCE attack and the impacts it can have highlight the importance of proactively identifying and mitigating RCE vulnerabilities. 

The examples below underline that RCE is still a popular and potent attack strategy.

XZ Utils

XZ Utils Backdoor Threat Notification

A backdoor (CVE-2024-3094), deliberately planted by a malicious actor, was discovered in versions 5.6.0 and 5.6.1 of XZ Utils, a widely used data compression library. The backdoor can lead to remote code execution via SSH authentication in certain Linux distributions that use the compromised library. 

Overview of the backdoor functionality

Ivanti VPN instances

Ivanti 0-day Threat Notification

Several high-severity vulnerabilities were discovered in Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways in early 2024. Some of these, like CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, were exploited in the wild by threat actors before patches were released, giving attackers access to critical VPN infrastructure.

MOVEit transfer

MOVEit Transfer RCE 0-day Threat Notification

The RCE vulnerability (CVE-2023-34362) in MOVEit Transfer has been actively exploited in the wild since at least May 2023. The vulnerability allows unauthenticated attackers to access and potentially modify or delete sensitive data stored in the MOVEit Transfer database. 

MOVEit Transfer is a highly popular managed file transfer (MFT) service, and multiple organizations have disclosed breaches due to this vulnerability, with the Cl0p ransomware group claiming responsibility for the attacks. Given the sensitive nature of data typically handled by MFT services, the potential impact of this vulnerability is severe.

Linux kernel `ksmbd` module

Critical RCE vulnerability found in Linux Kernal ksmbd

The Linux kernel's ksmbd module, introduced in version 5.15, contains a critical remote code execution vulnerability (CVE-2022-47939). This vulnerability allows malicious actors to run arbitrary code on a system without having to authenticate themselves.

Exim

Exim 0-day Threat Notification

Multiple vulnerabilities, including a critical one (CVE-2023-42115), were recently disclosed in Exim, one of the world's most popular mail transfer agents (MTAs). 

CVE-2023-42115 allows unauthenticated remote code execution on Exim servers with "External" authentication enabled, potentially leading to attackers gaining initial access to organizations through exposed SMTP ports.

FortiOS

CVE-2023-25610, a critical remote code execution vulnerability in Fortinet's FortiOS and FortiProxy, was recently disclosed. The vulnerability is due to a buffer underwrite bug in the administrative interface, potentially allowing unauthenticated attackers to execute arbitrary code or cause denial-of-service using specially crafted requests.

Mitigate RCE threats and enhance your cloud security with Wiz

One of the key strengths of Wiz is its ability to detect RCE vulnerabilities based on the specific software versions running in the environment. By considering not only the software itself but also its configurations and other relevant factors, Wiz provides a thorough assessment of the attack surface. This level of granularity is crucial in identifying and prioritizing remediation efforts.

In the event of an active RCE attack, Wiz's capabilities extend beyond vulnerability detection to:

  • Identifying the presence of malware and monitoring communication with known malicious IPs or domains

  • Leveraging powerful queries to quickly identify infected resources or those engaging in suspicious communication with threat actors

  • Enabling real-time detection so teams can respond swiftly and contain the impact of an ongoing attack

To learn more about how Wiz can help secure your software against RCE attacks, request a demo today and take the first step toward improving your security posture.

Detect real-time malicious behavior in the cloud

Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.

Get a demo 

FAQs