CVE-2026-27476
RustFly · RustFly
RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism, allowing execution of system commands via UDP port 5005.
Executive summary
RustFly 2.0.0 is susceptible to critical command injection via its remote UI control mechanism, enabling unauthorized remote code execution.
Vulnerability
The application fails to properly sanitize hex-encoded instructions received via UDP port 5005. This allows unauthenticated attackers to inject system commands, leading to full remote control, including the establishment of reverse shells.
Business impact
The ability to execute arbitrary system commands poses an extreme risk to the integrity and confidentiality of the host machine. With a CVSS score of 9.8, this vulnerability could lead to total system takeover, data exfiltration, and the establishment of persistent backdoors in the environment.
Remediation
Immediate Action: Update RustFly to the latest version that implements proper input sanitization for the remote UI control mechanism.
Proactive Monitoring: Monitor UDP port 5005 for suspicious traffic and inspect system logs for unauthorized command executions or reverse shell activity.
Compensating Controls: Restrict access to UDP port 5005 via network firewalls to only known, trusted IP addresses until a patch can be applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This is a critical vulnerability that allows direct command injection. It is imperative that administrators restrict network access to the affected port immediately and apply the vendor-provided security update as soon as it becomes available.