Remote Code Execution
Remote Code Execution (RCE) vulnerabilities allow an attacker to execute arbitrary code on a remote system without authorization. These are among the most severe vulnerabilities as they can lead to complete system compromise.
289
CRITICAL
Execution
Understanding Remote Code Execution
Remote Code Execution vulnerabilities represent the most critical class of security flaws. When exploited, they allow attackers to run arbitrary commands on a target system, often with the same privileges as the vulnerable application.
RCE vulnerabilities commonly arise from unsafe deserialization, command injection, or memory corruption bugs. They're frequently found in web applications, network services, and system utilities.
How to Identify
- •Look for input validation bypasses in file upload functionality
- •Check for unsafe deserialization of user-controlled data
- •Test command execution functions with special characters
- •Review template engines for server-side template injection
Prevention Best Practices
- ✓Use parameterized queries and prepared statements
- ✓Implement strict input validation and sanitization
- ✓Run applications with minimal privileges
- ✓Keep all software dependencies up to date
- ✓Use security headers and Content Security Policy
Remote Code Execution CVEs (289)
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2019-1151 | 8.8 | This vulnerability allows an attacker to take control of a system by exploiting flaws in how Windows handles certain fonts, which could let them install programs or access sensitive data. To succeed, the attacker needs to trick users into visiting a malicious website or opening a specially crafted document. | microsoftoffice | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1150 | 8.8 | This vulnerability allows an attacker to take control of a Windows 10 system by exploiting flaws in how the operating system handles certain fonts, enabling them to install programs, access data, or create new user accounts. To succeed, the attacker needs to trick users into visiting a malicious website or opening a specially crafted document file. | microsoftwindows 10 | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1149 | 8.8 | This vulnerability allows an attacker to take control of a system by exploiting a flaw in how Windows handles certain fonts, which could lead to installing malicious software or accessing sensitive data. To succeed, the attacker needs to trick users into visiting a malicious website or opening a specially crafted document. | microsoftoffice | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1145 | 8.8 | An attacker can take control of a Windows 10 system by exploiting a flaw in how the operating system handles certain fonts, allowing them to install programs, access or delete data, and create new user accounts. To succeed, the attacker needs to trick users into visiting a malicious website or opening a specially crafted document. | microsoftwindows 10 | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1144 | 8.8 | This vulnerability allows an attacker to take control of a Windows 10 system by exploiting flaws in how the operating system handles certain fonts, enabling them to install programs, access or delete data, and create new user accounts. To exploit this, the attacker must trick users into visiting a malicious website or opening a specially crafted document file. | microsoftwindows 10 | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1057 | 7.5 | This vulnerability allows an attacker to run malicious code on a user's system, potentially taking full control of it. To exploit this, the attacker needs to trick the user into clicking a link to a specially crafted website that uses Internet Explorer to process harmful XML content. | microsoftwindows 10 | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2019-1030 | 4.3 | This vulnerability allows an attacker to access sensitive information from a user's system by exploiting flaws in how Microsoft Edge handles data in memory. To succeed, the attacker must trick the user into visiting a malicious website or clicking on a harmful link, as there’s no way for the attacker to force the user to do so. | microsoftedge | Exploit Available | over 6 years agoAug 14, 2019 |
| CVE-2018-12651 | 6.1 | This vulnerability allows an attacker to inject malicious JavaScript code into the HR management software, which can then be executed in the browsers of users who view the affected page. It requires the attacker to trick a user into clicking a specially crafted link that includes the harmful code in the search parameters. | myadrenalinhuman resource management software | Exploit Available | over 7 years agoDec 20, 2018 |
| CVE-2018-12650 | 6.1 | This vulnerability allows an attacker to inject malicious scripts into the Adrenalin HRMS software, which can then be executed in the browsers of users who visit the affected page. To exploit this, the attacker needs to trick users into clicking a specially crafted link that includes the harmful script. | myadrenalinhuman resource management software | Theoretical | over 7 years agoOct 24, 2018 |