CVE-2026-27476

RustFly · RustFly

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism, allowing execution of system commands via UDP port 5005.

Executive summary

RustFly 2.0.0 is susceptible to critical command injection via its remote UI control mechanism, enabling unauthorized remote code execution.

Vulnerability

The application fails to properly sanitize hex-encoded instructions received via UDP port 5005. This allows unauthenticated attackers to inject system commands, leading to full remote control, including the establishment of reverse shells.

Business impact

The ability to execute arbitrary system commands poses an extreme risk to the integrity and confidentiality of the host machine. With a CVSS score of 9.8, this vulnerability could lead to total system takeover, data exfiltration, and the establishment of persistent backdoors in the environment.

Remediation

Immediate Action: Update RustFly to the latest version that implements proper input sanitization for the remote UI control mechanism.

Proactive Monitoring: Monitor UDP port 5005 for suspicious traffic and inspect system logs for unauthorized command executions or reverse shell activity.

Compensating Controls: Restrict access to UDP port 5005 via network firewalls to only known, trusted IP addresses until a patch can be applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This is a critical vulnerability that allows direct command injection. It is imperative that administrators restrict network access to the affected port immediately and apply the vendor-provided security update as soon as it becomes available.