See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.
See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.

Preventing remote code execution vulnerabilities

Remote code execution (RCE) attacks are a serious threat to modern web applications. 

Attackers can exploit zero-day software vulnerabilities to gain deep access to a machine, network, or web application. And whether it’s a flaw in a common OpenSSL cryptography encryption library (Log4j vulnerability) or a widespread ransomware attack exploiting vulnerabilities in an operating system (WannaCry Ransomware Attack of 2017). 

Neglecting RCE vulnerabilities can lead to a breach that erodes consumer trust, incur hefty fines, and slow down the network.

What is a Remote Code Execution Attack?

Remote Code Execution (RCE), also known as Arbitrary Code Execution, allows an attacker to execute malicious code on an organization's computers or network. The executed malicious code can be used for various purposes, including deploying additional malware or stealing private data. RCE doesn’t always lead to finding vulnerabilities, but often a vulnerability would lead to RCE. 

Remote code execution is often a high or critical severity that can be divided into two separate categories, including server-side and client-side RCE attacks. By executing malicious code into a system, attackers aim to steal private information, encrypt or destroy files, alter permissions, or disperse malware. RCE often does not require user interaction and victims may not even notice that their systems were compromised.

The Most Common Remote Code Execution Vulnerability

Code injection is the most common vulnerability when it comes to remote code execution, such as with a SQL injection or OS command injection

When proper protocol is not put into place, remote file inclusion — even on a more localized network — is a threat that most businesses face and potentially leaves them open to future dynamic code execution.  

If unvalidated user input data is fed directly into the system, malicious actors will not hesitate to inject code into the system. Once that system interprets them as “safe,” they’ll be able to“pull the trigger” at any time in the future and gain full access and control of extremely critical system data. That’s why it’s critical to stop these attacks before they happen and to proactively prevent code injection vulnerabilities with cybersecurity services like application security management and active penetration testing

Failing to properly sanitize user input can, ultimately, lead to arbitrary code execution. Three of the most common types of code injection vulnerabilities include:

  • SQL injection, which exploits vulnerabilities in database queries.
  • Command injection, operating systems, web applications, and individual system programs.
  • Cross-site scripting (XSS), which injects malicious, often undetectable, scripts through common programming languages into web pages.

How to prevent Code Injection Vulnerability and RCE Attacks

Preventing RCE attacks necessitates comprehensive security measures like input validation, secure coding practices, regular updates, and robust monitoring systems. Here are a few best practices to help prevent and remedy RCE attacks:

Input validation and sanitization

To prevent code injection, data should be validated and sanitized before it ever even enters into the systems. Whitelists and regular expressions provide a layer of trust between the user and the actual system, in turn telling the system that it can trust the data being entered into it. 

Likewise, secure libraries and frameworks offer built-in protection and an additional front line against attack. Unsanitized inputs can open up systems to countless hacks and devastation. Keep in mind, vulnerability is caused when a hacker is able to issue script or code commands through an unsanitized text field. 

Comparitech explains, "If your website/application's authentication and session management functions are incorrectly implemented, attackers could compromise passwords, keys, or session tokens."

Monitor and audit the system

It’s wise to regularly monitor and audit web application logs to determine if there’s been any malicious activity taking place on web and application servers. Seek out suspicious or unusual activity, whether it happens to be a request, a response, or an error the system has never seen before.  

Secure deserialization of files

Regularly scan and monitor both existing and newly modified files for potential malware attachments. Implement a secure deserialization strategy that requires the use of digital signatures, encryption, or checksums to prevent tampering. Put restrictions into place that limit access to certain areas of the system while completely disabling the uploading and execution of files by unauthorized parties.

Use web application firewalls (WAFs) and intrusion detection systems (IDSs)

Another best practice is to install a web application firewall (WAF). Similar to personal computer firewalls, WAFs protect web applications from automated attacks and alert or block RCE attacks or payloads. Regularly update WAFs and intrusion detection systems (IDSs) with the latest signatures and rules.

Furthermore, other best practices should be applied to these systems such as requiring the usage of strong passwords and multifactor authentication.

Update all proprietary and third-party data

Always update your software, including operating systems, applications, and web frameworks, to address known vulnerabilities. 

Regular updates provide security patches, protecting against emerging threats. Updating third-party software is particularly important in preventing RCE attacks. While the timing of third-party updates may be unpredictable, incorporating time for regular update checks into the development schedule is essential.

Use buffer overflow protection

Buffer overflow vulnerabilities occur when malformed or corrupted data exceeds a buffer’s boundary, overwriting other memory locations and allowing hackers to execute arbitrary code. 

Buffer overflow protection involves multiple measures to detect and prevent buffer overflows from becoming serious security vulnerabilities. A common technique is adding a canary value to stack-allocated data, which is checked to detect overflows. If the canary value is altered, it indicates a buffer overflow, prompting the termination of the affected program to prevent exploitation. 

Additional protective strategies include address space randomization, which makes it difficult for attackers to exploit vulnerabilities, and data execution prevention, which designates areas of memory as non-executable to limit damage.

Properly configure your user authentication mechanisms

User authentication is the first line of defense against intruders. Incorrect implementation of authentication and session management can result in compromised credentials and code execution by attackers. Therefore, it is crucial to configure authentication mechanisms properly. 

Correct configuration of authentication mechanisms include aspects such as strong authentication and access protocols that can limit hackers to accounts with the least possible access, preventing them from lateral attacks even if they breach existing security protocols.

Being prepared for RCE attacks can minimize damage, shorten the attack duration, and expedite recovery.

Identifying RCE vulnerabilities with security testing

Regular vulnerability scans and penetration tests should be conducted to identify and remediate any RCE vulnerabilities or misconfigurations. By simulating the actions of attackers in real-time, penetration testing will help businesses discover vulnerabilities before an attack. 

In a quickly evolving world where opportunists are lurking in the background, the need for continuous penetration testing is highly understated. A Pentest as a Service (PtaaS) platform helps combine automation and human assessments to test for vulnerabilities that legacy scanning tools might miss.

Other security best practices shouldn’t be overlooked either. Regularly review and maintain your company’s ongoing security practices, and update the system on a per-schedule basis. Implementing DevSecOps and better coding practices are highly advised when improving our in-house development culture.

Examples of vulnerabilities leading to RCE Attacks

Here are some real-world examples of vulnerabilities that have been exploited through RCE attacks: 

CVE-2017-5638 (Struts2 Vulnerability, 2017): This weakness in a popular web development framework that gave attackers the ability to remotely execute malicious code on vulnerable websites and web applications. Remote command injection attacks were executed by incorrectly parsing an attacker's invalid Content-Type HTTP header.

CVE-2021-44228 (45105 and 45046 Log4Shell Vulnerabilities): The Log4Shell vulnerability hit a widely-used Java library, allowing attackers to take control of millions of devices by injecting malicious code into log messages. The attackers created a fake LDAP server and were able to remotely execute their code without the need for authentication. 

CVE-2021-1844 (Apple OS): A breach in Apple's operating systems allowed hackers to run malicious programs on vulnerable Apple devices around the world, tricking their users to open a special link and to compromise their entire system. An externally-controlled URL allowed attackers to run malicious payloads and take control of all major Apple OS operating systems. 

CVE-2020-17051 (MS Windows): This vulnerability in Microsoft Windows allowed attackers to take control of a computer via an unsecured endpoint in the communication protocol (NFS version 3) by forwarding a simple payload and running it through a compromised server connection.

CVE-2019-8942 (WordPress): CVE-2019-8942 was found in WordPress 5.0.0 in 2019 and was a WordPress vulnerability that allowed hackers to inject malicious PHP code into a user's blog or website. By uploading a single image file and manipulating its Exif meta-data, malware could be executed at a later date.

CVE-2018-8248 (Microsoft Excel): A vulnerability in Microsoft Excel allowed attackers to infect computers with malware just by opening a spreadsheet. Not only did these devices become fully accessible to the attackers, but they were able to be controlled to the point of terminating the administrative rights of the actual user.

WannaCry Ransomware Attack (2017): This widespread ransomware attack exploited a vulnerability in Microsoft Windows to infect computers and lock user files, demanding a ransom payment to unlock and decrypt the files. By exploiting a vulnerability in Samba servers (SMB protocol), attackers were able to send specially crafted messages. Using a National Security Administration (NSA) tool, EternalBlue, they were able to scan for vulnerable SMB ports and, once identified, used another NSA tool, DoublePulsar, to install the WannaCry ransomware that would ultimately affect over 148,000 computers and critical servers in just under a month. Everyone from megacorporations to local hospital systems was victimized by these global attacks.

Western Digital My Cloud NAS vulnerabilities: These vulnerabilities allowed attackers to remotely take control of Western Digital My Cloud devices and potentially steal data or install malware to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices. Once compromised, the data stored on the system is up for grabs, and the attacker can download malware onto the device in the form of ransomware, crypto miners, or botnets.

Windows 10 HtmlHelper vulnerability: This vulnerability in a program that opens help files for Windows 10 allowed attackers to trick users into opening malicious files and compromising their computers. Windows Help files using the .chm extension are at risk of being compromised when using HtmlHelper and are vulnerable to an RCE attack. The program can help hackers bypass Windows 10's security policies and be tricked into opening compromised .chm files — many of which can be manipulated outright.

Zoom RCE vulnerabilities: These vulnerabilities in the popular video conferencing platform Zoom allowed attackers to potentially take control of a participant's computer during a video call. They’d first attempt to access the victim’s calculator, for example, and if accessible, they would follow through with a more devious attack.


Preventing RCE attacks requires a multi-faceted approach, including rigorous input validation, secure coding practices, consistent updates, and robust monitoring systems. Given the significant damage these attacks can inflict, it is crucial for management teams to stay vigilant with updates and proactive security measures.

State of Pentesting Blog CTA 2024

Back to Blog
About Ernest Li
10+ years experience in threat intelligence, threat detection, threat research, and security operations with a Masters degree from the University of Oxford. More By Ernest Li