SOCRadar® Cyber Intelligence Inc. | The Most Dangerous of Their Kind Remote Code Execution (RCE) Attacks


Jul 19, 2021
6 Mins Read

The Most Dangerous of Their Kind Remote Code Execution (RCE) Attacks

Remote Code Execution (RCE) is a class of software vulnerabilities. An RCE vulnerability allows a malicious actor to execute code of their choice over a LAN (WAN) or Internet on a remote machine. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.

An online attack where an attacker executes code on your system is considered a remote code execution attack. Remote code execution can take many forms, but at the most basic level RCE refers to a process or agent that exploits a network vulnerability to execute arbitrary code on a target machine or system. Not all cases of remote code executions are due to nefarious activities, but the decision to access a network via a backdoor approach can signal questionable motives.

A critical vulnerability in remote code execution (CVE-2020-5902 for instance) may permit an attacker or remote user with access to the Traffic Management User Interface (TMUI) to execute system commands remotely. Remote code execution can be fatal for an application or user if it allows the execution of malicious code on the application or server.

Any attack that executes code on a system remotely is considered a remote execution attack, regardless of how the attacker gets there.

  • If your site or application allows user input without proper cleaning, then open the door to all kinds of unintentional behavior on behalf of your server, such as the execution of arbitrary code.
  • If your large IP and TMUI are exposed to the Internet and do not run an updated version of TMUI, it may be compromised even if you follow your internal incident response procedures.
  • If one of your websites or applications has authentication or session management features implemented, an attacker can compromise passwords, keys or session markers.
  • If user input is not verified, valid code can be executed on the target machine. Malicious actors realize that dynamic code generation can use a given input to provide valid code as input to attack your application.

In the case of direct dynamic code execution, a malicious actor must be aware of their input before generating code. Indirect cases amount to dynamic code generation that includes user input.

RCE also refers to mechanisms or network errors that can be misused by agents to execute arbitrary code on a particular device or machine. RCE vulnerabilities are among the most dangerous of their kind, as attackers can execute malicious code on vulnerable servers. Such code can be executed on remote servers, which means that attacks can come from anywhere in the world and give attackers access to any PC.

RCE attacks increased from 7% in 2019 to 27% in the second quarter of 2020 with the pandemic.

Security Researchers demonstrated three fault chains that can cause an RCE on a target computer without any form of user interaction.

The vulnerability in the application allows attackers to exploit the application environment to arm malicious code in memory. An attacker can open a back door and trigger code to steal data, disrupt services, influence operations, or install crypto-mining software. The animation of the attack in action shows how an attacker would be able to open a computer program on a machine with ZOOM and execute its exploit.

We can only assume that our adversaries are well funded, qualified, motivated and effective. Attacking the supply chain of SolarWinds for Hafnium, hacking Microsoft Exchange servers, or ringing a bell is not something to read too much into.

RCE vulnerabilities can be exploited by injecting user input into a file or string that is executed without being evaluated by a programming language parser.

RCE can lead to complete compromises of web applications and web servers. It is important to note that every programming language has a code evaluation function. Code evaluation occurs when you allow user input into a function that evaluates the code in the respective programming language.

In computer security, the execution of arbitrary code (ACE) is when an attacker is able to execute arbitrary commands or code on a target machine or process. A program to exploit this vulnerability is called an “arbitrary code execution exploit.”. The ability to execute arbitrary code over a network or over a large network such as the Internet is called remote code execution, or RCE.

A number of vulnerabilities may allow attackers to execute arbitrary commands or code. This kind of confusion refers to vulnerabilities in the code that is passed to an object without checking its type. An attacker can exploit this vulnerability by writing a pointer type to an object’s memory block and reading its pointer type, allowing the attacker to execute arbitrary code.

The Most Critical RCEs in 2021

  • CVE Dictionary Entry: CVE-2021-31206

NVD Published Date: 07/14/2021

NVD Last Modified: 07/16/2021

Source: Microsoft Corporation

Base Score: 9.6 Critical

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.

  • CVE Dictionary Entry: CVE-2021-34494

NVD Published Date: 07/14/2021

NVD Last Modified: 07/14/2021

Source: Microsoft Corporation

Base Score: N/A

Description: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34525.

  • CVE Dictionary Entry: CVE-2021-34527

NVD Published Date: 07/02/2021

NVD Last Modified: 07/14/2021

Source: Microsoft Corporation

Base Score: 8.8 High

Description: Windows Print Spooler Remote Code Execution Vulnerability

  • CVE Dictionary Entry: CVE-2021-1675

NVD Published Date: 06/08/2021

NVD Last Modified: 07/07/2021

Source: Microsoft Corporation

Base Score: 8.8 High

Description: Windows Print Spooler Elevation of Privilege Vulnerability

  • CVE Dictionary Entry: CVE-2021-22893

NVD Published Date: 04/23/2021

NVD Last Modified: 04/28/2021

Source: HackerOne

Base Score: 10 Critical

Description: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

  • CVE Dictionary Entry: CVE-2021-22908

NVD Published Date: 05/27/2021

NVD Last Modified: 06/08/2021

Source: HackerOne

Base Score:8.8 High

Description: A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.

  • CVE Dictionary Entry: CVE-2021-21972

NVD Published Date: 02/24/2021

NVD Last Modified: 06/24/2021

Source: VMware

Base Score: 9.8 Critical

Description: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before

  • CVE Dictionary Entry: CVE-2021-23344

NVD Published Date: 03/04/2021

NVD Last Modified: 03/05/2021

Source: Snyk

Base Score: 9.8 Critical

Description: The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.

For more information about RCEs in 2020 take a look at or blog post on Top 5 RCE attacks that took place in 2020

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free