CVE-2026-27476
Command Injection in RustFly 2.0.0 Remote UI via UDP
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfly | rustfly | to 2.0.0 (exc) |
| rustfly | rustfly | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
RustFly 2.0.0 has a command injection vulnerability in its remote UI control mechanism. This mechanism accepts hex-encoded instructions over UDP port 5005 but does not properly sanitize these inputs.
Because of this lack of sanitization, attackers can send specially crafted hex-encoded payloads containing system commands. These commands can be executed on the target system, allowing attackers to perform arbitrary operations such as establishing a reverse shell or running other commands.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows remote attackers to execute arbitrary system commands without any authentication or user interaction.
- Attackers can gain unauthorized control over the affected system.
- They can establish reverse shells, enabling persistent remote access.
- It can lead to data breaches, system compromise, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know