CVE-2026-27182
Published: 18 February 2026
Summary
CVE-2026-27182 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Packetstorm (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of specially crafted UDP JSON inputs before forwarding to OS execution functions.
Prevents unauthenticated local network attackers from reaching the vulnerable UDP port 27000 by restricting ports, protocols, and services.
Addresses the root cause by mandating identification, reporting, and correction of the specific command injection flaw via vendor patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote code execution through command injection in a network-accessible service (UDP port 27000), directly facilitating T1210: Exploitation of Remote Services.
NVD Description
Saturn Remote Mouse Server contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000. Attackers on the local network can send malformed packets with unsanitized command data…
more
that the service forwards directly to OS execution functions, enabling remote code execution under the service account.
Deeper analysisAI
CVE-2026-27182 is a command injection vulnerability in Saturn Remote Mouse Server. The flaw allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000. Attackers on the local network can send malformed packets containing unsanitized command data, which the service forwards directly to OS execution functions, resulting in remote code execution under the service account. The vulnerability carries a CVSS score of 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306: Missing Authentication for Critical Function.
Attackers positioned on the local network can exploit this issue without privileges or user interaction by crafting and transmitting UDP packets to the affected port. Successful exploitation leads to arbitrary command execution with the privileges of the Saturn Remote Mouse Server service account, potentially enabling full system compromise, data theft, persistence, or lateral movement within the network.
Advisories provide further details on the issue, including those published by VulnCheck at https://www.vulncheck.com/advisories/saturn-remote-mouse-server-udp-command-injection-rce, PacketStorm at https://packetstorm.news/files/id/215835/, and the vendor site at https://www.saturnremote.com/. Security practitioners should consult these resources for recommended mitigations, such as blocking UDP port 27000 or applying any available patches.
Details
- CWE(s)